[ANN] Apache Tomcat 8.0.37 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.37. Please note that Tomcat 8.x users should normally be using 8.5.x releases in preference to 8.0.x releases. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java

[ANN] Apache Tomcat 8.5.5 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.5. Tomcat 8.x users should normally be using 8.5.x releases in preference to 8.0.x releases. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression

[ANN] Apache Tomcat 9.0.0.M10 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M10. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.0.M10 is a

[ANN] Apache Tomcat 8.5.4 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.4. This is the first stable release of the 8.5.x branch. Tomcat 8.x users should now use 8.5.x releases in preference to 8.0.x releases. Apache Tomcat 8 is an open source software implementation of the Java Servlet,

[ANN] Apache Tomcat 9.0.0.M9 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M9. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.0.M9 is a milestone

[ANN] Apache Tomcat Native 1.2.8 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.8 stable. The key features of this release are: - Improved performance with concurrent loads - Correctly enable and disable OCSP in the binaries for Windows - Fix a bug in the handling of EAGAIN during

[SECURITY][CORRECTION] CVE-2016-3092 Apache Tomcat Denial of Service

Note: This announcement corrects several errors and omissions in the Tomcat aspects of the announcement for CVE-2016-3092 from the Apache Commons project that was recently forwarded to various Apache Tomcat mailing lists. For the sake of clarity, the Tomcat specific corrections are as follows: 1.

Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

Original Message From: Jochen Wiedmann Sent: 21 June 2016 10:18:15 BST To: priv...@commons.apache.org, "secur...@apache.org" , Tomcat Security List , announce@apache.org, Apache Commons Developers

[ANN] Apache Tomcat 8.0.35 available

Apologies for the delay in sending this out. The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.35. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies.

[ANN] Apache Tomcat 8.5.2 BETA available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.2 BETA. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for

[ANN] Apache Tomcat 9.0.0.M6 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M6. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.0.M6 is a milestone

[ANN] Apache Tomcat 8.0.33 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.33. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.33 includes fixes for issues

[ANN] Apache Tomcat 8.5.0 BETA available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.0 BETA. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for

[ANN] Apache Tomcat 9.0.0.M4 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M4. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.0.M4 is a milestone

[SECURITY] CVE-2015-5346 Apache Tomcat Session fixation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5346 Apache Tomcat Session fixation Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.5 to 7.0.65 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 Description: When recycling

[SECURITY] CVE-2015-5351 Apache Tomcat CSRF token leak

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5351 Apache Tomcat CSRF token leak Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.1 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.31 - - Apache Tomcat 9.0.0.M1 Description: The index

[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0706 Apache Tomcat Security Manager bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache

[SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5345 Apache Tomcat Directory disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.66 - - Apache Tomcat 8.0.0.RC1 to 8.0.29 - - Apache Tomcat

[SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0714 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache

[SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0763 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2

[ANN] Apache Tomcat 8.0.32 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.32. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.32 includes fixes for issues

[ANN] Apache Tomcat 9.0.0.M3 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M3. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 9.0.0.M3 is a milestone release

[ANN] Apache Tomcat Native 1.2.4 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.4 stable. The key features of this release are: - Improvements to renegotiation Note that, unless a regression is discovered in 1.2.x, users should now be using 1.2.x in preference to 1.1.x. Please refer to

[ANN] Apache Tomcat Native 1.2.3 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.3 stable. The key features of this release are: - Java keystore support. - Various fixes to align the Java and native APIs - Various fixes if building without OpenSSL - Windows binaries built with OpenSSL

[ANN] Apache Tomcat 8.0.30 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.30. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.30 includes fixes for issues

[ANN] Apache Tomcat 9.0.0.M1 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M1. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 9.0.0.M1 is the first milestone

[ANN] Apache Tomcat Native 1.2.2 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.2 stable. The key features of this release are: - ALPN support - SNI support - Add access methods for OpenSSL BIO - Windows binaries built with APR 1.5.1 and OpenSSL 1.0.2d - Itanium binaries no longer

[ANN] Apache Tomcat 8.0.28 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.28. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.28 includes fixes for issues

[ANN] Apache Tomcat 8.0.24 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.24. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.24 includes numerous fixes for

[ANN] End of life for Apache Tomcat 6.0.x

The Apache Tomcat team announces that support for Apache Tomcat 6.0.x will end on 31 December 2016. This means that after 31 December 2016: - releases from the 6.0.x branch are highly unlikely - bugs affecting only the 6.0.x branch will not be addressed - security vulnerability reports will not

[ANN] Apache Tomcat 8.0.23 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.23. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.23 includes numerous fixes for

[ANN] Apache Tomcat 6.0.44 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.44. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a number of bug fixes and improvements compared to

[SECURITY] CVE-2014-7810: Apache Tomcat Security Manager Bypass

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - Apache Tomcat 7.0.0 to 7.0.57 - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious

[ANN] Apache Tomcat 8.0.22 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.22. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.22 includes numerous fixes for

[SECURITY] CVE-2014-0230: Apache Tomcat DoS

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-0230 Denial of Service Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.43 Description: When a response for a

[ANN] Apache Tomcat Native 1.1.33 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.33 stable. The key features of this release are: - Fixed a crash when the poller returned multiple events for the same socket. - Link Windows binaries with OpenSSL 1.0.1m and APR 1.5.1 Please refer to the

[ANN] Apache Tomcat 8.0.20 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.20. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.20 includes numerous fixes for

[SECURITY] CVE-2014-0227 Apache Tomcat Request Smuggling

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0227 Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.41 Description: It was possible to

[ANN] Apache Tomcat 8.0.17 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.17. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.17 includes numerous fixes for

[ANN] Apache Tomcat 6.0.43 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.43. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a number of bug fixes and improvements compared to

[ANN] Apache Tomcat 8.0.15 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.15. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.15 includes numerous fixes for

Re: [ANN] Apache Tomcat Native 1.1.32 released

On 28/10/2014 21:28, Mark Thomas wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.32 stable. The key features of this release are: - Add support for TLSv1.1 and TLSv1.2 - Link Windows binaries with OpenSSL 1.0.1i and APR 1.5.1 Correction

[SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013- Remote Code Execution Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.39 Description: In very limited circumstances, it was possible for an attacker to upload a malicious

[ANN] Apache Tomcat 8.0.12 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.12. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.12 includes numerous fixes for

[ANN] Apache Tomcat 8.0.11 (stable) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.11. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.11 includes numerous fixes for

[ANN] Apache Tomcat 8.0.9 (stable) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.9, the first stable release of the 8.0.x series. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies.

[SECURITY] CVE-2014-0075 Apache Tomcat denial of service

CVE-2014-0075 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: It was possible to craft a malformed chunk size as part of a chucked

[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure

CVE-2014-0096 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The default servlet allows web applications to define (at multiple

[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure

CVE-2014-0119 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.5 - Apache Tomcat 7.0.0 to 7.0.53 - Apache Tomcat 6.0.0 to 6.0.39 Description: In limited circumstances it was possible for a malicious web

[SECURITY] CVE-2014-0095 Apache Tomcat denial of service

CVE-2014-0095 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 Description: A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the

[ANN] Apache Tomcat 6.0.41 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.41 stable. Apache Tomcat 6.0.41 is primarily a bug fix release. The notable changes include: - Add support for using ecj-P20140317-1600.jar to use Java 8 syntax in JSPs - Update native library to 1.1.30 - Various

[ANN] Apache Tomcat 8.0.8 (beta) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.8 (beta). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java EE 7.

[SECURITY] CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to

[SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 - - Apache Tomcat 7.0.0 to 7.0.42 - - Apache Tomcat 6.0.0 to 6.0.37

[ANN] Apache Tomcat 6.0.39 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.39 stable. Apache Tomcat 6.0.39 is primarily a security and bug fix release. The notable changes include: - Various improvements to XML configuration file validation. - Better adherence to RFC2616 for Content-Type

[ANN] Apache Tomcat 8.0.0-RC10 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC10 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 8.0.0-RC5 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC5 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 8.0.0-RC3 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC3 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 8.0.0-RC1 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC1 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 7.0.41 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.41. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a number of bug fixes and improvements compared to

CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.39 Description: Bug 54178 described a scenario where

[ANN] Apache Tomcat 7.0.40 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.40. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a security fix and a number of bug fixes and

[ANN] Apache Tomcat 7.0.39 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.39. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a number of bug fixes and improvements compared to version 7.0.37. The notable

[ANN] Apache Tomcat 7.0.37 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.37. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.35. The

[ANN] Apache Tomcat 7.0.35 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.35. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.34. The

Re: [ANN] End of life for Apache Tomcat 5.5.x

On 10/08/2011 13:00, Mark Thomas wrote: The Apache Tomcat team announces that support for Apache Tomcat 5.5.x will end on 30 September 2012. This means that after 30 September 2012: - releases from the 5.5.x branch are highly unlikely - bugs affecting only the 5.5.x branch

[ANN] Apache Tomcat 7.0.34 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.34. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.33. The

CVE-2012-4534 Apache Tomcat denial of service

CVE-2012-4534 Apache Tomcat denial of service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.27 - Tomcat 6.0.0 to 6.0.35 Description: When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while

CVE-2012-3546 Apache Tomcat Bypass of security constraints

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3546 Apache Tomcat Bypass of security constraints Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 Earlier unsupported versions may also be affected

CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.31 - - Tomcat 6.0.0 to 6.0.35 Description: The CSRF prevention filter could be

[ANN] Apache Tomcat 7.0.33 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.33. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.32. The

Fwd: [ANN] Apache Tomcat 6.0.36 released

It has been brought to the attention of the Apache Tomcat PMC that the Tomcat 6.0.36 release announcement below was sent to the Tomcat users list and the Tomcat developers list but not the Tomcat and ASF announce lists. Please accept our apologies if you missed the Apache Tomcat 6.0.36 release

[SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 - - Tomcat 5.5.0 to 5.5.35 - - Earlier, unsupported

[ANN] Apache Tomcat 5.5.36 released

The Apache Tomcat Team announces the immediate availability of Apache Tomcat 5.5.36. Apache Tomcat 5.5.36 is primarily a bug-fix release. As per the previous end of life announcement [1] this will almost certainly be the final Apache Tomcat 5.5.x release. Users of the 5.5.x series are strongly

[ANN] Apache Tomcat 7.0.30 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.30. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains numerous bug fixes and improvements compared to version 7.0.29. The notable

[ANN] Apache Tomcat 7.0.28 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.28. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release is includes may improvements as well as a number of bug fixes compared to version

[ANN] Apache Tomcat 7.0.27 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.27 This release is includes significant new features as well as a number of bug fixes compared to version 7.0.26. The notable changes include: * Support for the WebSocket protocol (RFC6455). Both streaming and

[ANN] Apache Tomcat 7.0.26 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.26 This release is primarily a bug fix release and includes numerous bug fixes compared to version 7.0.25. The notable bug fixes include: * Improved code@HandlesTypes/code processing which no longer loads all

[ANN] Apache Tomcat 7.0.25 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.25 This release includes numerous bug fixes and several new features compared to version 7.0.23. The notable new features include: * Align the Servlet 3.0 implementation with the changes defined in the first

[SECURITY] CVE-2011-3375 Apache Tomcat Information disclosure

CVE-2011-3375 Apache Tomcat Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.21 - Tomcat 6.0.30 to 6.0.33 - Earlier versions are not affected Description: For performance reasons, information parsed from a request is

[SECURITY] Apache Tomcat and the hashtable collision DoS vulnerability

You may have read about a recently announced vulnerability rooted in the Java hashtable implementation [1]. Since Apache Tomcat uses a hashtable for storing HTTP request parameters, it is affected by this issue. As per [1], it appears that Oracle will not be providing a fix for this vulnerability

[ANN] Apache Tomcat 7.0.23 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.23 This release includes numerous bug fixes and several new features compared to version 7.0.22. The notable new features include: * The ability to start and stop child containers (primarily Contexts: i.e. web

[SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.21 Description: This issue only affects environments running web applications that

[ANN] Apache Tomcat 7.0.22 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.22 Apache Tomcat 7.0.22 includes bug fixes and new features compared to version 7.0.21 including: - Further improvements to the memory leak detection and prevention features. - Fix issue that prevented using SSL with

[SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)

CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.19 Tomcat 6.0.30 to 6.0.32 Tomcat 5.5.32 to 5.5.33 Description: Due to a bug in the capabilities code, jsvc (the service

[SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability

CVE-2011-2481: Apache Tomcat information disclosure vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.16 Previous versions are not affected. Description: The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability

[ANN] End of life for Apache Tomcat 5.5.x

The Apache Tomcat team announces that support for Apache Tomcat 5.5.x will end on 30 September 2012. This means that after 30 September 2012: - releases from the 5.5.x branch are highly unlikely - bugs affecting only the 5.5.x branch will not be addressed - security vulnerability reports will not

[ANN] Apache Tomcat 7.0.19 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.19 Apache Tomcat 7.0.19 includes security fixes, bug fixes and the following new features compared to version 7.0.16: - JSP recompilation is now triggered by any change (backwards as well as forwards) in the last

[SECURITY] CVE-2011-2526 Apache Tomcat Information disclosure and availability vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-2526: Apache Tomcat Information disclosure and availability vulnerabilities Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.18 Tomcat 6.0.0 to 6.0.32 Tomcat 5.5.0 to 5.0.33

[ANN] Apache Tomcat 7.0.16 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.16. Apache Tomcat 7.0.16 includes bug fixes and the following new features compared to version 7.0.14: - NIO implementation of the AJP connector - Enable Servlet 3 asynchronous processing support when using

[SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass

CVE-2011-1183 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.11 - Earlier versions are not affected Description: A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no

[SECURITY] CVE-2011-1475 Apache Tomcat information disclosure

CVE-2011-1475 Apache Tomcat information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.11 - Earlier versions are not affected Description: Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests

[ANN] Apache Tomcat 7.0.11 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.11 Apache Tomcat 7.0.11 is primarily a security fix release with a small number of additional bug fixes compared to 7.0.10. Please refer to the change log for the list of changes:

[SECURITY] Tomcat 7 ignores @ServletSecurity annotations

The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still ignored when there are no security constraints defined in web.xml (a typical use case). There will be a Tomcat 7.0.11 release shortly to address this. In the meantime, the workaround of specifying at least one security

[ANN] Apache Tomcat 7.0.8 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.8 Apache Tomcat 7.0.8 is primarily a security and bug fix release with numerous fixes compared to 7.0.6. Please refer to the change log for the list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

[SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-0534 Apache Tomcat DoS vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.6 - - Tomcat 6.0.0 to 6.0.30 Description: Tomcat did not enforce the maxHttpHeaderSize limit while

[SECURITY] CVE-2011-0013 Apache Tomcat Manager XSS vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-0013 Apache Tomcat Manager XSS vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.5 - - Tomcat 6.0.0 to 6.0.29 - - Tomcat 5.5.0 to 5.5.31 - - Earlier, unsupported versions may also

[SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions

CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions Severity: Low Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.3 - Tomcat 6.0.0 to 6.0.? - Tomcat 5.5.0 to 5.5.? - Earlier, unsupported versions may also be affected Description: When

[ANN] Apache Tomcat 7.0.6 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.6. This is the first stable release of the Tomcat 7 branch. Apache Tomcat 7.0.6 contains further performance improvements in session management, a new binary distribution targeted at users embedding Tomcat in other

[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.4 - Not affected in default configuration.

<    1   2   3   4   5   >