[ANN] Apache Tomcat 11.0.0-M18 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M18 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M18 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M17 include: - Reduce minimum Java version to Java 17 - When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string no the protocol are corrupted when restoring the request body. - Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2024-23672 Apache Tomcat - Denial of Service
CVE-2024-23672 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M17 or later - Upgrade to Apache Tomcat 10.1.19 or later - Upgrade to Apache Tomcat 9.0.86 or later - Upgrade to Apache Tomcat 8.5.99 or later History: 2024-03-13 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service
CVE-2024-24549 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M17 or later - Upgrade to Apache Tomcat 10.1.19 or later - Upgrade to Apache Tomcat 9.0.86 or later - Upgrade to Apache Tomcat 8.5.99 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Bartek Nowotarski (https://nowotarski.info/). History: 2024-03-13 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat Native 1.3.0 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.3.0 stable. The key features of this release are: - The minimum supported OpenSSL version is 1.1.1 - The minimum supported APR version in 1.6.3 - The windows binaries in this release have been built with OpenSSL 3.0.13 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 1.3.x provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments.
[ANN] Apache Tomcat Native 2.0.7 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.7 stable. The key features of this release are: - Align default pass phrase prompt with httpd on Windows - The windows binaries in this release have been built with OpenSSL 3.0.13 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat.
Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
Correcting the CVE reference in the text (the subject line is correct) Mark On 19/01/2024 10:17, Mark Thomas wrote: CVE-2023-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data from a previous request from another user. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.44 or later - Upgrade to Apache Tomcat 8.5.64 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by xer0dayz from Sn1perSecurity LLC. History: 2024-01-19 Original advisory References: [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure
CVE-2023-46589 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data from a previous request from another user. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.44 or later - Upgrade to Apache Tomcat 8.5.64 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by xer0dayz from Sn1perSecurity LLC. History: 2024-01-19 Original advisory References: [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 11.0.0-M16 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M16 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M16 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M15 include: - Fix virtual thread support for the NIO2 connector - Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. - Allow multiple operations with the same name on introspected mbeans, fixing a regression caused by the introduction of a second addSslHostConfig() method. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M15 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M15 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M15 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M14 include: - Background processes for a Container no longer execute while lifecycle operations are in progress for that Container. - Align with the latest additions and changes from the Servlet 6.1 specification. - Update the sample.war included in the documentation to use the Jakarta EE APIs. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling
CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M11 or later - Upgrade to Apache Tomcat 10.1.16 or later - Upgrade to Apache Tomcat 9.0.83 or later - Upgrade to Apache Tomcat 8.5.96 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Norihito Aimoto (OSSTech Corporation). History: 2023-11-28 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 11.0.0-M14 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M14 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M14 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M13 include: - Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 or later. - Fix reloading TLS configuration could cause the Connector to refuse new connections or the JVM to crash. - Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M13 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M13 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M13 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M12 include: - Correct a regression in 11.0.0-M12 that broke the Tomcat JBDC connection pool. - Correct a regression in 11.0.0-M12 that broke HTTP compression. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2023-42795 Apache Tomcat - information disclosure
CVE-2023-42795 Apache Tomcat - information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M12 or later - Upgrade to Apache Tomcat 10.1.14 or later - Upgrade to Apache Tomcat 9.0.81 or later - Upgrade to Apache Tomcat 8.5.94 or later Credit: This vulnerability was idenitfied by the Tomcat security team. History: 2023-10-10 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2023-45648 Apache Tomcat - Request Smuggling
CVE-2023-45648 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M12 or later - Upgrade to Apache Tomcat 10.1.14 or later - Upgrade to Apache Tomcat 9.0.81 or later - Upgrade to Apache Tomcat 8.5.94 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Keran Mu and Jianjun Chen from Tsinghua University and Zhongguancun Laboratory. History: 2023-10-10 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2023-44487 Apache Tomcat - HTTP/2 DoS
CVE-2023-44487 Apache Tomcat - HTTP/2 DoS Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: Tomcat's HTTP/2 implementation was vulnerable to the rapid reset attack. The denial of service typically manifested as an OutOfMemoryError. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M12 or later - Upgrade to Apache Tomcat 10.1.14 or later - Upgrade to Apache Tomcat 9.0.81 or later - Upgrade to Apache Tomcat 8.5.94 or later History: 2023-10-10 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2023-42794 Apache Tomcat - denial of service
CVE-2023-42794 Apache Tomcat - denial of service Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.70 to 9.0.80 Apache Tomcat 8.5.85 to 8.5.93 Description: Tomcat's internal fork of a Commons FileUpload included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.81 or later - Upgrade to Apache Tomcat 8.5.94 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Mohammad Khedmatgozar (cellbox). History: 2023-10-10 Original advisory References: [1] https://tomcat.apache.org/security-9.html [2] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 11.0.0-M12 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M12 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M12 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M11 include: - Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. - Remove support for HTTP/2 server push - Update Tomcat Native to 2.0.6 to pick up Windows binaries built with OpenSSL 3.0.11 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Native 1.2.39 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.39 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL 3.0.11 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments.
[ANN] Apache Tomcat Native 2.0.6 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.6 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL 3.0.11 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat.
[SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure
CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48 Description: In some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat Connector (mod_jk) 1.2.49 or later. - Ensure explicit mounts are configured for all possible proxied requests Credit: This vulnerability was reported responsibly to the Tomcat security team by Karl von Randow. References: [1] http://tomcat.apache.org/security-jk.html
[ANN] Apache Tomcat Connectors 1.2.49 released
The Apache Tomcat Connectors project is part of the Tomcat project and provides web server plugins for httpd (mod_jk) and IIS (ISAPI) to connect those web servers with Tomcat and other backends. The Apache Tomcat Project is proud to announce the release of version 1.2.49 of the Apache Tomcat Connectors. This version fixes a number of bugs found in previous releases. Full details of these changes and new features, are available in the Apache Tomcat Connectors changelog: https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html In addition to the usual source release, this release includes Windows binaries for the JK ISAPI connector for IIS. Downloads: https://tomcat.apache.org/download-connectors.cgi Thank you, -- The Apache Tomcat Team
[ANN] Apache Tomcat 8.5.93 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.93. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.93 is a bugfix and feature release. The notable changes compared to 8.5.92 include: - If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. - Fix for FORM authentication open redirect - CVE-2023-41080 Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: https://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0: https://tomcat.apache.org/migration.html Please note that Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024. For more information please visit https://tomcat.apache.org/tomcat-85-eol.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2023-41080 Apache Tomcat - open redirect
CVE-2023-41080 Apache Tomcat - Open redirect Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.12 Apache Tomcat 9.0.0-M1 to 9.0.79 Apache Tomcat 8.5.0 to 8.5.92 Description: If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M11 or later - Upgrade to Apache Tomcat 10.1.13 or later - Upgrade to Apache Tomcat 9.0.80 or later - Upgrade to Apache Tomcat 8.5.93 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Yiheng Cao. History: 2023-08-25 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 10.1.13 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.13. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.12 include: - If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. - Fix for FORM authentication open redirect - CVE-2023-41080 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 9.0.80 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.80. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.80 is a bugfix and feature release. The notable changes compared to 9.0.79 include: - If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. - Fix for FORM authentication open redirect - CVE-2023-41080 Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M11 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M11 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M11 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M10 include: - Update the HTTP parameter handling to align with the changes in the Jakarta Servlet 6.1 API Javadoc for the ServletRequest methods used to obtain request parameters. Invalid parameters and/or exceeding parameter size and/or quantity limits now triggerm exceptions. As a consequence, the FailedRequestFilter has been removed. - If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. - Fix for FORM authentication open redirect - CVE-2023-41080 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 8.5.92 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.92. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.92 is a bugfix and feature release. The notable changes compared to 8.5.91 include: - Refactor HTTP/2 implementation to reduce pinning when using virtual threads. - Fix a NullPointerException when flushing batched WebSocket messages with compression enabled using permessage-deflate. - Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: https://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0: https://tomcat.apache.org/migration.html Please note that Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024. For more information please visit https://tomcat.apache.org/tomcat-85-eol.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.12 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.12. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.11 include: - Refactor HTTP/2 implementation to reduce pinning when using virtual threads. - Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. - Update Tomcat Native to 2.0.5. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M10 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M10 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M10 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M9 include: - Refactor HTTP/2 implementation to reduce pinning when using virtual threads. - Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. - Update Tomcat Native to 2.0.5. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M9 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M9 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M9 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M7 include: - Add ContextNamingInfoListener, a listener which creates context naming information environment entries - Add PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file. - Update the Jakarta EL and Jakarta WebSocket implementations to align with the latest changes planned for Jakarta EE 11 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M6 or later - Upgrade to Apache Tomcat 10.1.9 or later - Upgrade to Apache Tomcat 9.0.75 or later - Upgrade to Apache Tomcat 8.5.89 or later Credit: Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc. History: 2023-06-21 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
[ANN] Apache Tomcat 11.0.0-M7 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M7 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M7 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M6 include: - The minimum Java version has been increased to Java 21. - Add support for virtual threads. - Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. - Update Tomcat Native to 2.0.4 which includes binaries for Windows built with OpenSSL 3.0.9. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Native 1.2.37 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.37 stable. The key features of this release are: - Update the version of OpenSSL used to create the binaries for Windows to OpenSSL 1.1.1u Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments.
[ANN] Apache Tomcat Native 2.0.4 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.4 stable. The key features of this release are: - The binaries for Windows in this release have been built with OpenSSL 3.0.9 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat.
[SECURITY] CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete
CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M2 to 11.0.0-M4 Apache Tomcat 10.1.5 to 10.1.7 Apache Tomcat 9.0.71 to 9.0.73 Apache Tomcat 8.5.85 to 8.5.87 Description: The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M5 or later - Upgrade to Apache Tomcat 10.1.8 or later - Upgrade to Apache Tomcat 9.0.74 or later - Upgrade to Apache Tomcat 8.5.88 or later Credit: This issue was identified by Chenwei Jiang, Chenfeng Nie and Yue Yang from the Huawei Nebula Security Lab History: 2023-05-22 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[ANNOUNCEMENT] Commons Daemon 1.3.4 Released
The Apache Commons Team is pleased to announce the availability of Apache Commons Daemon 1.3.4. The Apache Commons Daemon software library provides a generic Daemon (unix) or Service (Windows) wrapper for Java code. Version 1.3.4 is a bugfix release. A full list of changes can be found at https://commons.apache.org/proper/commons-daemon/changes-report.html Source and binary distributions are available for download from the Apache Commons download site: https://commons.apache.org/proper/commons-daemon/download_daemon.cgi Please verify signatures using the KEYS file available at the above location when downloading the release. For complete information on Commons Daemon, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Daemon website: https://commons.apache.org/proper/commons-daemon/ Mark on behalf of the Apache Commons community
[ANN] Apache Tomcat 11.0.0-M6 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M6 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M6 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M5 include: - Various improvements to access logging. - Remove support for the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch. These are now hard-coded to the previous defaults. - Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M5 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M5 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M5 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M4 include: - Reduce the default value of maxParameterCount from 10,000 to 1,000. - Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections. - Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2023-28708 Apache Tomcat - Information Disclosure
CVE-2023-28708 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M2 Apache Tomcat 10.1.0-M1 to 10.1.5 Apache Tomcat 9.0.0-M1 to 9.0.71 Apache Tomcat 8.5.0 to 8.5.85 Description: When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later - Upgrade to Apache Tomcat 10.1.6 or later - Upgrade to Apache Tomcat 9.0.72 or later - Upgrade to Apache Tomcat 8.5.86 or later History: 2023-03-22 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 11.0.0-M4 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M4 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process. Apache Tomcat 11.0.0-M4 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M3 include: - Revert the switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. The original system property based approach has been restored. - Provide an implementation of the sub-set of JavaBeans support that does not depend on the java.beans package. This for use by Expression Language when the java.desktop module (which is where the java.beans package resides) is not available. - Restore inline state after async operation in NIO2, to account the fact that unexpected exceptions are sometimes thrown by the implementation. Patch submitted by zhougang. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M3 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M3 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process. Apache Tomcat 11.0.0-M3 is a first milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M1 include: - Increase the minimum supported Java version to Java 17. - Remove support for starting Tomcat under a SecurityManager. - Remove JAX-RPC support which was removed from the Jakarta EE platform for Jakarta EE 9 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts
Re-sending with corrected credit CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 Apache Tomcat 10.1.0-M1 to 10.1.4 Apache Tomcat 9.0.0-M1 to 9.0.70 Apache Tomcat 8.5.0 to 8.5.84 Description: Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later when released - Upgrade to Apache Tomcat 10.1.5 or later - Upgrade to Apache Tomcat 9.0.71 or later - Upgrade to Apache Tomcat 8.5.85 or later - Note 11.0.0-M2 was not released Credit: This issue was identified by Jakob Ackermann History: 2023-01-03 Original advisory 2023-01-03 Corrected credit References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts
CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 Apache Tomcat 10.1.0-M1 to 10.1.4 Apache Tomcat 9.0.0-M1 to 9.0.70 Apache Tomcat 8.5.0 to 8.5.84 Description: Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later when released - Upgrade to Apache Tomcat 10.1.5 or later - Upgrade to Apache Tomcat 9.0.71 or later - Upgrade to Apache Tomcat 8.5.85 or later - Note 11.0.0-M2 was not released Credit: This issue was identified by the Apache Tomcat security team. History: 2023-01-03 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2023-24998 Apache Commons FileUpload - DoS with excessive parts
CVE-2023-24998 Apache Commons FileUpload - DoS with excessive parts Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Commons FileUpload 1.0-beta-1 to 1.4 Description: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Commons FileUpload 1.5 or later Credit: This issue was identified by Jakob Ackermann and reported responsibly to the Apache Commons Security Team. History: 2023-02-20 Original advisory References: [1] https://commons.apache.org/proper/commons-fileupload/security-reports.html
[ANN] Apache Tomcat Native 2.0.3 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.3 stable. The key features of this release are: - The binaries for Windows in this release have been built with OpenSSL 3.0.8 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat.
[ANN] Apache Tomcat Native 1.2.36 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.36 stable. The key features of this release are: - Update the version of OpenSSL used to create the binaries for Windows to OpenSSL 1.1.1t Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments.
[ANNOUNCE] Apache Commons FIleUpload 1.5 Released
The Apache Commons Team is pleased to announce the release of Apache Commons FileUpload 1.5. The Commons FileUpload software library makes it easy to add robust, high-performance, file upload capability to your servlets and web applications. Source and binary distributions are available for download from the Apache Commons FileUpload download site: https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi When downloading, please verify signatures using the KEYS file available at the above location when downloading the release. Alternatively the release can be pulled via maven: commons-fileupload commons-fileupload 1.5 The release notes can be reviewed at: https://www.apache.org/dist/commons/fileupload/RELEASE-NOTES.txt For complete information on Commons FileUpload, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons FileUpload website: https://commons.apache.org/proper/commons-fileupload/ Best regards, Mark on behalf of the Apache Commons community
[ANN] Apache Tomcat 10.1.5 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.5. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.4 include: - Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. - When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. - Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection
CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.1 Apache Tomcat 9.0.40 to 9.0.68 Apache Tomcat 8.5.83 Description: The JsonErrorReportValve did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.2 or later - Upgrade to Apache Tomcat 9.0.69 or later - Upgrade to Apache Tomcat 8.5.84 or later Credit: This issue was identified by the Apache Tomcat security team. History: 2023-01-03 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[ANN] End of life for Apache Tomcat 8.5.x
Update with a corrected date for the anticipated final 8.5.x release. The Apache Tomcat team announces that support for Apache Tomcat 8.5.x will end on 31 March 2024. This means that after 31 March 2024: - releases from the 8.5.x branch are highly unlikely - bugs affecting only the 8.5.x branch will not be addressed - security vulnerability reports will not be checked against the 8.5.x branch Three months later (i.e. after 30 June 2024) - the 8.5.x download pages will be removed - the latest 8.5.x release will be removed from the CDN - the 8.5.x branch will be made read-only - the links to the 8.5.x documentation will be removed from tomcat.apache.org - The bugzilla project for 8.5.x will be made read-only Note that all 8.5.x releases will always be available from the archive. It is anticipated that the final 8.5.x release will be made shortly before 31 March 2024. Users of Apache Tomcat 8.5.x should plan to upgrade to 9.0.x or later before 31 March 2024.
[ANN] End of life for Apache Tomcat 8.5.x
The Apache Tomcat team announces that support for Apache Tomcat 8.5.x will end on 31 March 2024. This means that after 31 March 2024: - releases from the 8.5.x branch are highly unlikely - bugs affecting only the 8.5.x branch will not be addressed - security vulnerability reports will not be checked against the 8.5.x branch Three months later (i.e. after 30 June 2024) - the 8.5.x download pages will be removed - the latest 8.5.x release will be removed from the CDN - the 8.5.x branch will be made read-only - the links to the 8.5.x documentation will be removed from tomcat.apache.org - The bugzilla project for 8.5.x will be made read-only Note that all 8.5.x releases will always be available from the archive. It is anticipated that the final 8.5.x release will be made shortly before 31 March 2021. Users of Apache Tomcat 8.5.x should plan to upgrade to 9.0.x or later before 31 March 2024.
[ANN] Apache Tomcat 10.1.4 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.4. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.2 include: - Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. - When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. - Update to Commons Daemon 1.3.3 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 11.0.0-M1 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M1 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process. Apache Tomcat 11.0.0-M1 is the first milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 10.1.x include: - Alignment with the current development versions of the Jakarta Servlet, Pages and Expression Language specifications. This includes removal of deprecated code and addition of the jakarta.servlet.error.query_string attribute for error dispatches - BASIC authentication now uses UTF-8 by default - Conversions from bytes to characters now trigger exceptions rather than replacement for invalid byte sequences for the given encoding Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.6
The Apache Tomcat team announces the immediate availability of Apache Tomcat Migration Tool for Jakarta EE 1.0.6 Apache Tomcat Migration Tool for Jakarta EE is an open source software tool for migrating binary web applications (WAR files) and other binary artifacts from Java EE 8 to Jakarta EE 9. The notable changes since 1.0.5 include: - Correct regression in handling of javax.annotation package introduced in 1.0.5. PR provided by Danny Thomas. - Allow parallel use of ClassConverter. PR provided by Danny Thomas. Please refer to the change log for the complete list of changes: https://github.com/apache/tomcat-jakartaee-migration/blob/master/CHANGES.md Downloads: http://tomcat.apache.org/download-migration.cgi Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.2 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.2. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.1 include: - Fix concurrency issue in evaluation of expression language containing lambda expressions. - Update the packaged version of the Apache Tomcat Native Library to 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7. - Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day, month and year components to be compliant with RFC 6265. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.5
The Apache Tomcat team announces the immediate availability of Apache Tomcat Migration Tool for Jakarta EE 1.0.5 Apache Tomcat Migration Tool for Jakarta EE is an open source software tool for migrating binary web applications (WAR files) and other binary artefacts from Java EE 8 to Jakarta EE 9. The notable changes since 1.0.4 include: - Narrow scope of javax.annotation conversion to Java EE. Pull request by Danny Thomas - Improve manifest handling and conversion performance. Pull request by Danny Thomas. Please refer to the change log for the complete list of changes: https://github.com/apache/tomcat-jakartaee-migration/blob/master/CHANGES.md Downloads: http://tomcat.apache.org/download-migration.cgi Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Native 2.0.2 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.2 stable. The key features of this release are: - Update the minimum supported version of LibreSSL to 3.5.2. Based on a #13 provided by orbea. - The windows binaries in this release have been built with OpenSSL 3.0.7 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat.
[SECURITY] CVE-2022-42252 Apache Tomcat - Request Smuggling
CVE-2022-42252 Apache Tomcat - Request Smuggling Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0 Apache Tomcat 10.0.0-M1 to 10.0.26 Apache Tomcat 9.0.0-M1 to 9.0.67 Apache Tomcat 8.5.0 to 8.5.52 Description: If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. Mitigation: Users of the affected versions should apply one of the following mitigations: - Ensure rejectIllegalHeader is set to true - Upgrade to Apache Tomcat 10.1.1 or later - Upgrade to Apache Tomcat 10.0.27 or later - Upgrade to Apache Tomcat 9.0.68 or later - Upgrade to Apache Tomcat 8.5.83 or later Credit: Thanks to Sam Shahsavar who discovered this issue and reported it to the Apache Tomcat security team. History: 2022-10-31 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 10.1.1 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.1. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.0 include: - Fix bug 66277, a refactoring regression that broke JSP includes amongst other functionality - Fix unexpected timeouts that may appear as client disconnections when using HTTP/2 and NIO2 - Update to Eclipse JDT compiler 4.23 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 8.5.83 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.83. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.83 is a bugfix and feature release. The notable changes compared to 8.5.82 include: - Add support for authenticating WebSocket clients with an HTTP forward proxy when establishing a connection to a WebSocket endpoint via a forward proxy that requires authentication. Based on a patch provided by Joe Mokos. - Various fixes for edge case bugs in EL processing - Enforce the requirement of RFC 7230 onwards that a request with a malformed content-length header should always be rejected with a 400 response. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: https://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANNOUNCEMENT] Commons Daemon 1.3.2 Released
The Apache Commons Team is pleased to announce the availability of Apache Commons Daemon 1.3.2. The Apache Commons Daemon software library provides a generic Daemon (unix) or Service (Windows) wrapper for Java code. Version 1.3.2 is a bugfix release. A full list of changes can be found at https://commons.apache.org/proper/commons-daemon/changes-report.html Source and binary distributions are available for download from the Apache Commons download site: https://commons.apache.org/proper/commons-daemon/download_daemon.cgi Please verify signatures using the KEYS file available at the above location when downloading the release. For complete information on Commons Daemon, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Daemon website: https://commons.apache.org/proper/commons-daemon/ Mark on behalf of the Apache Commons community
[ANN] Apache Tomcat 10.0.27 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.27. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.26 include: - Fix bug 66277, a refactoring regression that broke JSP includes amongst other functionality - Fix unexpected timeouts that may appear as client disconnections when using HTTP/2 and NIO2 - Enforce the requirement of RFC 7230 onwards that a request with a malformed content-length header should always be rejected with a 400 response. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 9.0.68 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.68. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.68 is a bugfix and feature release. The notable changes compared to 9.0.67 include: - Fix bug 66277, a refactoring regression that broke JSP includes amongst other functionality - Fix unexpected timeouts that may appear as client disconnections when using HTTP/2 and NIO2 - Enforce the requirement of RFC 7230 onwards that a request with a malformed content-length header should always be rejected with a 400 response. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure
CVE-2021-43980 Apache Tomcat - Information Disclosure Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M12 Apache Tomcat 10.0.0-M1 to 10.0.18 Apache Tomcat 9.0.0-M1 to 9.0.60 Apache Tomcat 8.5.0 to 8.5.77 Description: The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M14 or later once released - Upgrade to Apache Tomcat 10.0.20 or later once released - Upgrade to Apache Tomcat 9.0.62 or later once released - Upgrade to Apache Tomcat 8.5.78 or later once released - Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released Credit: Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for discovering the issue and working with the Tomcat security team to identify the root cause and appropriate fix. History: 2022-09-28 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 10.0.26 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.26. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.23 include: - Add support for authenticating WebSocket clients with an HTTP forward proxy when establishing a connection to a WebSocket endpoint via a forward proxy that requires authentication. Based on a patch provided by Joe Mokos. - Various fixes for edge case bugs in EL processing - Improve host header handling for HTTP/2 requests Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0 (stable) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0 (stable). This is the first stable release of the 10.1.x branch. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.0-M17 include: - Add support for authenticating WebSocket clients with an HTTP forward proxy when establishing a connection to a WebSocket endpoint via a forward proxy that requires authentication. Based on a patch provided by Joe Mokos. - Various fixes for edge case bugs in EL processing. - Improve host header handling for HTTP/2 requests. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.4
The Apache Tomcat team announces the immediate availability of Apache Tomcat Migration Tool for Jakarta EE 1.0.4 Apache Tomcat Migration Tool for Jakarta EE is an open source software tool for migrating binary web applications (WAR files) and other binary artefacts from Java EE 8 to Jakarta EE 9. The notable changes since 1.0.3 include: - Improve the fix converting web applications that include JARs that store one or more entries in uncompressed form - Add a new conversion profile that converts from Jakarta EE 9 to Java EE 8 Please refer to the change log for the complete list of changes: https://github.com/apache/tomcat-jakartaee-migration/blob/master/CHANGES.md Downloads: http://tomcat.apache.org/download-migration.cgi Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.3
The Apache Tomcat team announces the immediate availability of Apache Tomcat Migration Tool for Jakarta EE 1.0.3 Apache Tomcat Migration Tool for Jakarta EE is an open source software tool for migrating binary web applications (WAR files) and other binary artefacts from Java EE 8 to Jakarta EE 9. The notable changes since 1.0.1 include: - Update checksums for modified files to avoid issues when trying to use migrated JAR files - Handle migration of manifest files when part of an exploded JAR Please refer to the change log for the complete list of changes: https://github.com/apache/tomcat-jakartaee-migration/blob/master/CHANGES.md Downloads: http://tomcat.apache.org/download-migration.cgi Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.0.23 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.23. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.22 include: - Implement support for repeatable builds - Update the packaged version of the Tomcat Native Library to 1.2.35. This includes Windows binaries built with with OpenSSL 1.1.1q. - Fix CVE-2022-34305, a low severity XSS vulnerability in the Form authentication example Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M17 (beta) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M17 (beta). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The Jakarta EE specifications implemented by Tomcat 10.1.x are now final and Tomcat's implementation of those specifications is complete. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M17 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M16 include: - Implement support for repeatable builds - Update the packaged version of the Tomcat Native Library to 2.0.1. This includes Windows binaries built with with OpenSSL 3.0.5. - Update experimental Panama modules with support for OpenSSL 3.0+. OpenSSL 1.1 remains supported. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Native 2.0.1 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.1 stable. The key features of this release are: - JNI API has been reduced to just that required to support Tomcat's OpenSSL based TLS implementation. The APR/native connector is no longer supported in this branch. - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 - The windows binaries in this release have been built with OpenSSL 3.0.5 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat.
[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.1
The Apache Tomcat team announces the immediate availability of Apache Tomcat Migration Tool for Jakarta EE 1.0.1 Apache Tomcat Migration Tool for Jakarta EE is an open source software tool for migrating binary web applications (WAR files) and other binary artefacts from Java EE 8 to Jakarta EE 9. The notable changes since 1.0.0 include: - Add support for .groovy files - Better support for non-standard archives - Numerous library updates Please refer to the change log for the complete list of changes: https://github.com/apache/tomcat-jakartaee-migration/blob/master/CHANGES.md Downloads: http://tomcat.apache.org/download-migration.cgi Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2022-34305 Apache Tomcat - XSS in examples web application
CVE-2022-34305 Apache Tomcat - XSS in examples web application Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M16 Apache Tomcat 10.0.0-M1 to 10.0.22 Apache Tomcat 9.0.30 to 9.0.64 Apache Tomcat 8.5.50 to 8.5.81 Description: The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Remove the examples web application as documented in the Tomcat security guide - Upgrade to Apache Tomcat 10.1.0-M17 or later once released - Upgrade to Apache Tomcat 10.0.23 or later once released - Upgrade to Apache Tomcat 9.0.65 or later once released - Upgrade to Apache Tomcat 8.5.82 or later once released History: 2022-06-23 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat Native 1.2.34 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.34 stable. The key features of this release are: - Refactor the initialization of the native code so it is compatible with Tomcat 10.1.x where deprecated Java classes will be removed - Map the OpenSSL 3.0.x FIPS behaviour to the 1.1.1 API to allow clients to determine if the FIPS provider is being used when Tomcat Native is compiled against OpenSSL 3.0.x Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments.
[ANN] Apache Tomcat 10.0.22 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.22. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.21 include: - Correct a regression in the support added for encrypted PKCS#1 formatted private keys in the previous release that broke support for unencrypted PKCS#1 formatted private keys. - Increase the default buffer size for cluster messages from 43800 to 65536 bytes. This is expected to improve performance for large messages when running on Linux based systems. - When using TLS with non-blocking writes and the NIO connector, ensure that flushing the buffers attempts to empty all of the output buffers. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M16 (beta) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M16 (beta). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The Jakarta EE specifications implemented by Tomcat 10.1.x are now final and Tomcat's implementation of those specifications is complete. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M16 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M15 include: - Refactor synchronization blocks locking on SocketWrapper to use ReentrantLock to support users wishing to experiment with project Loom. - Correct a regression in the support added for encrypted PKCS#1 formatted private keys in the previous release that broke support for unencrypted PKCS#1 formatted private keys. - Increase the default buffer size for cluster messages from 43800 to 65536 bytes. This is expected to improve performance for large messages when running on Linux based systems. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.0.21 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.21. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.20 include: - Provide a property source that sources values from Kubernetes service bindings. Provided by Sumit Kulhadia and Gareth Evans. - The root cause of the Linux kernel duplicate accept bug has been identified along with the version of the kernel that includes the fix. The error message displayed when this bug occurs has been updated to reflect this new information and to advise users to update to a version of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for the research into this issue. - Update the packaged version of the Tomcat Native Library to 1.2.33 to pick up Windows binaries built with OpenSSL 1.1.1o. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M15 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M15 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M15 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M14 include: - Provide a property source that sources values from Kubernetes service bindings. Provided by Sumit Kulhadia and Gareth Evans. - The root cause of the Linux kernel duplicate accept bug has been identified along with the version of the kernel that includes the fix. The error message displayed when this bug occurs has been updated to reflect this new information and to advise users to update to a version of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for the research into this issue. - Update the packaged version of the Tomcat Native Library to 1.2.33 to pick up Windows binaries built with OpenSSL 1.1.1o. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2022-25762 Apache Tomcat - Request Mix-up
CVE-2022-25762 Apache Tomcat - Request Mix-up Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.20 Apache Tomcat 8.5.0 to 8.5.75 Description: If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.21 or later - Upgrade to Apache Tomcat 8.5.76 or later History: 2022-05-12 Original advisory Credit: This issue was identified by the Apache Tomcat security team. References: [1] https://tomcat.apache.org/security-9.html [2] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2022-29885 Apache Tomcat EncryptInterceptor DoS
CVE-2022-29885 Apache Tomcat EncryptInterceptor Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M14 Apache Tomcat 10.0.0-M1 to 10.0.20 Apache Tomcat 9.0.13 to 9.0.62 Apache Tomcat 8.5.38 to 8.5.78 Description: The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. Mitigation: Users running clustering over an untrusted network who require full protection should switch to an alternative solution such as running the clustering communication over a VPN. History: 2022-05-10 Original advisory Credit: This issue was reported to the Apache Tomcat Security team by 4ra1n. References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat Native 1.2.33 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.33 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1o - Fixes a potential crash when attempting to read the TLS session ID after a handshake failure. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments.
[ANNOUNCEMENT] Commons Daemon 1.3.1 Released
The Apache Commons Team is pleased to announce the availability of Apache Commons Daemon 1.3.1. The Apache Commons Daemon software library provides a generic Daemon (unix) or Service (Windows) wrapper for Java code. Version 1.3.1 is a mainly bugfix release. A full list of changes can be found at https://commons.apache.org/proper/commons-daemon/changes-report.html Source and binary distributions are available for download from the Apache Commons download site: https://commons.apache.org/proper/commons-daemon/download_daemon.cgi Please verify signatures using the KEYS file available at the above location when downloading the release. For complete information on Commons Daemon, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Daemon website: https://commons.apache.org/proper/commons-daemon/ Mark on behalf of the Apache Commons community
[ANN] Apache Tomcat 8.5.78 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.78. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies. Apache Tomcat 8.5.78 is a bugfix and feature release. The notable changes compared to 8.5.77 include: - Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n. - Improve logging of unknown HTTP/2 settings frames. Pull request by Thomas Hoffmann. - Add additional warnings if incompatible TLS configurations are used such as HTTP/2 with CLIENT-CERT authentication - Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.0.20 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.20. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.18 include: - Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n. - Improve logging of unknown HTTP/2 settings frames. Pull request by Thomas Hoffmann. - Add additional warnings if incompatible TLS configurations are used such as HTTP/2 with CLIENT-CERT authentication - Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M14 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M14 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M14 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M12 include: - Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n. - Improve logging of unknown HTTP/2 settings frames. Pull request by Thomas Hoffmann. - Add additional warnings if incompatible TLS configurations are used such as HTTP/2 with CLIENT-CERT authentication - Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat Native 1.2.32 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.32 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1n Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments.
[ANNOUNCEMENT] Commons Daemon 1.3.0 Released
The Apache Commons Team is pleased to announce the availability of Apache Commons Daemon 1.3.0. The Apache Commons Daemon software library provides a generic Daemon (unix) or Service (Windows) wrapper for Java code. Version 1.3.0 is a mainly bugfix release but also increases the minimum Java version to Java 7. A full list of changes can be found at https://commons.apache.org/proper/commons-daemon/changes-report.html Source and binary distributions are available for download from the Apache Commons download site: https://commons.apache.org/proper/commons-daemon/download_daemon.cgi Please verify signatures using the KEYS file available at the above location when downloading the release. For complete information on Commons Daemon, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Daemon website: https://commons.apache.org/proper/commons-daemon/ Mark on behalf of the Apache Commons community
[ANN] Apache Tomcat 10.0.18 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.18. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.17 include: - Fix a potential thread-safety issue that could cause HTTP/1.1 request processing to pause, and potentially timeout, waiting for additional data when the full request has been received. - Fix a regression introduced with 65757 bugfix which better identified non request threads but which introduced a similar problem when user code was doing sequential operations in a single thread. - When resolving methods in EL expressions that use beans and/or static fields, ensure that any custom type conversion is considered when identifying the method to call. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M12 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M12 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M12 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M11 include: - Fix a potential thread-safety issue that could cause HTTP/1.1 request processing to pause, and potentially timeout, waiting for additional data when the full request has been received. - Fix a regression introduced with 65757 bugfix which better identified non request threads but which introduced a similar problem when user code was doing sequential operations in a single thread. - When resolving methods in EL expressions that use beans and/or static fields, ensure that any custom type conversion is considered when identifying the method to call. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M11 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M11 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M11 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M10 include: - Add support for additional user attributes to TomcatPrincipal and GenericPrincipal - Correct a regression in the fix for 65454 that meant that minSpareThreads and maxThreads settings were ignored when the Connector used an internal executor - Improve the detection of the Linux duplicate accept bug and reduce (hopefully avoid) instances of false positives. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.0.17 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.17. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.16 include: - Add support for additional user attributes to TomcatPrincipal and GenericPrincipal - Correct a regression in the fix for 65454 that meant that minSpareThreads and maxThreads settings were ignored when the Connector used an internal executor - Improve the detection of the Linux duplicate accept bug and reduce (hopefully avoid) instances of false positives. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2022-23181 Apache Tomcat Local Privilege Escalation
CVE-2022-23181 Apache Tomcat Local Privilege Escalation Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M8 Apache Tomcat 10.0.0-M5 to 10.0.14 Apache Tomcat 9.0.35 to 9.0.56 Apache Tomcat 8.5.55 to 8.5.73 Description: The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M10 or later - Upgrade to Apache Tomcat 10.0.16 or later - Upgrade to Apache Tomcat 9.0.58 or later - Upgrade to Apache Tomcat 8.5.75 or later Note: This issue was fixed in Apache Tomcat 10.1.0-M9, 10.0.15, 9.0.57 and 8.5.74 but the release vote for those release candidates did not pass. Therefore, although users must download 10.1.0-M10, 10.0.16, 9.0.58 or 8.5.75 to obtain a version that includes a fix for this issue, versions 10.1.0-M9, 10.0.15, 9.0.57 and 8.5.74 are not included in the list of affected versions. History: 2022-01-26 Original advisory Credit: This issue was reported to the Apache Tomcat Security team by Trung Pham of Viettel Cyber Security. References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[ANN] Apache Tomcat 10.0.16 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.16. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.14 include: - Add recycling check in the input and output stream isReady to try to give a more informative ISE when the facade has been recycled. - Implement support for HTTP/1.1 upgrade when the request includes a body. The maximum permitted size of the body is controlled by maxSavePostSize. - Improve handling of various cases where one request/response processing thread attempts to manage the asynchronous IO for a different request/response Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M10 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M10 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M10 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M8 include: - Add recycling check in the input and output stream isReady to try to give a more informative ISE when the facade has been recycled. - Implement support for HTTP/1.1 upgrade when the request includes a body. The maximum permitted size of the body is controlled by maxSavePostSize. - Improve handling of various cases where one request/response processing thread attempts to manage the asynchronous IO for a different request/response Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] Apache Tomcat and CVE-2021-44228 (Log4j vulnerability)
The following represents the current understanding of the Apache Tomcat security team at the time this announcement was issued. There is a lot of security research being focussed on log4j2 at the moment and it is probable that additional information will emerge. Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) have no dependency on any version of log4j. Web applications deployed on Tomcat may have a dependency on log4j. You should seek support from your application vendors on how best to address this vulnerability. Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x (8.5.3 and earlier) provided optional support for switching Tomcat's internal logging to log4j 1.x. Anyone one using these very old (5+ years), unsupported versions of Tomcat that switched to using log4j 1.x may need to address this vulnerability as log4j 1.x may be affected in some (probably rarely used) configurations. Regardless, they'll need to address the Tomcat vulnerabilities that have been made public in those 5+ years. It is possible to configure Tomcat to use log4j 2.x for Tomcat's internal logging. This requires explicit configuration and the addition of the log4j 2.x library. Anyone who has switched Tomcat's internal logging to log4j 2.x is likely to need to address this vulnerability. In most cases, disabling the problematic feature will be the simplest solution. Exactly how to do that depends on the exact version of log4j2 being used. Details are provided on the log4j2 security page [1]. If not already subscribed, you may wish to follow the ASF announcements mailing list [2] where any significant updates from the logging project will be posted. If you have any questions regarding this issue or how to mitigate it, please direct them to the Apache Tomcat Users mailing list [3]. The Apache Tomcat Security Team [1] https://logging.apache.org/log4j/2.x/security.html [2] https://www.apache.org/foundation/mailinglists.html#foundation-announce [3] https://tomcat.apache.org/lists.html#tomcat-users
[ANN] Apache Tomcat 10.0.14 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.14. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.13 include: - Provide protection against a known OS bug that causes the acceptor to report an incoming connection more than once. - Implement a workaround for a JVM bug that can trigger a file descriptor leak when using multi-part upload and the application does not explicitly close an input stream for an uploaded file that was cached on disk. - Fix exceptions when the security manager is enabled and the first request received after starting is an HTTP request to a TLS enabled NIO2 connector. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M8 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M8 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M8 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M7 include: - Limit cookie support to RFC 6265 to align with recent updates to the Servlet specification - Update the WebSocket API packaging to remove the copy of the client API from the server API and replace it with a dependency on the client API. This aligns Tomcat with changes in the WebSocket 2.1 specification. - Provide protection against a known OS bug that causes the acceptor to report an incoming connection more than once. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.0.13 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.13. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. The notable changes compared to 10.0.12 include: - Experimental OpenSSL support through the Panama API incubating in Java 17, with support for OpenSSL 1.1+ - Add support for custom caching strategies for web application resources. This initial implementation allows control over whether or not a resource is cached. - Improve robustness of JNDIRealm for exceptions occurring when getting the connection. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 10.1.0-M7 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M7 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. Apache Tomcat 10.1.0-M7 is a milestone release of the 10.1.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.1.x so that they may provide feedback. The notable changes compared to 10.1.0-M6 include: - Servlet API updates for Servlet 6 including refactoring HttpServlet.doHead(), support for generic attributes on Cookies, more consistent URI handling including an option to reject 'suspicious' URIs - EL API updates for EL 5.0 including changes to ELResolver.getType() - Experimental OpenSSL support through the Panama API incubating in Java 17, with support for OpenSSL 1.1+ Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[SECURITY] CVE-2021-42340 Apache Tomcat DoS
CVE-2021-42340 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M6 or later - Upgrade to Apache Tomcat 10.0.12 or later - Upgrade to Apache Tomcat 9.0.54 or later - Upgrade to Apache Tomcat 8.5.72 or later History: 2021-10-14 Original advisory 2021-10-14 Correct CVE reference in body of advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html