[ANN] Apache Tomcat 4.1.36 stable is released

2007-04-07 Thread Mark Thomas
The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.36 stable. This build contains numerous library updates, a small number of bug fixes and two important security fixes. Apache Tomcat is an implementation of the Java Server Pages 1.2 and Java Servlet 2.3

[ANN] Apache Tomcat 4.1.37 stable is released

2008-02-19 Thread Mark Thomas
The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.37 stable. This build contains numerous library updates, a small number of bug fixes and two important, one moderate and six low severity security fixes. Apache Tomcat is an implementation of the Java Server

[ANN] Apache Tomcat 4.1.39 stable is released

2008-12-03 Thread Mark Thomas
The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.39 stable. This build contains a small number of bug fixes and two important, one moderate and one low severity security fixes. Apache Tomcat is an implementation of the Java Server Pages 1.2 and Java Servlet 2.3

[SECURITY] CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

2009-04-07 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vulnerability announcement: CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: mod_jk 1.2.0 to 1.2.26 Description: Situations where faulty clients

[SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory

2010-01-24 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be

[ANN] Apache Tomcat 7.0.0 beta released

2010-06-29 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.0 beta. Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures. Apache Tomcat 7.0 includes new

[ANN] Apache Tomcat 7.0.0-beta released

2010-06-29 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.0 beta. Apache Tomcat 7.0 includes new features over Apache Tomcat 6.0, including support for the new Servlet 3.0, JSP 2.2 and EL 2.2 specifications, web application memory leak detection and prevention, improved

[ANN] Apache Tomcat 7.0.2 beta released

2010-08-20 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.2 beta. Apache Tomcat 7.0 includes new features over Apache Tomcat 6.0, including support for the new Servlet 3.0, JSP 2.2 and EL 2.2 specifications, web application memory leak detection and prevention, improved

[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

2010-11-22 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.4 - Not affected in default configuration.

[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

2010-11-22 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.4 - Not affected in default configuration.

[ANN] Apache Tomcat 7.0.6 released

2011-01-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.6. This is the first stable release of the Tomcat 7 branch. Apache Tomcat 7.0.6 contains further performance improvements in session management, a new binary distribution targeted at users embedding Tomcat in other

[SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions

2011-02-04 Thread Mark Thomas
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions Severity: Low Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.3 - Tomcat 6.0.0 to 6.0.? - Tomcat 5.5.0 to 5.5.? - Earlier, unsupported versions may also be affected Description: When

[ANN] Apache Tomcat 7.0.8 released

2011-02-06 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.8 Apache Tomcat 7.0.8 is primarily a security and bug fix release with numerous fixes compared to 7.0.6. Please refer to the change log for the list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

[SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability

2011-02-06 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-0534 Apache Tomcat DoS vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.6 - - Tomcat 6.0.0 to 6.0.30 Description: Tomcat did not enforce the maxHttpHeaderSize limit while

[SECURITY] CVE-2011-0013 Apache Tomcat Manager XSS vulnerability

2011-02-06 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-0013 Apache Tomcat Manager XSS vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.5 - - Tomcat 6.0.0 to 6.0.29 - - Tomcat 5.5.0 to 5.5.31 - - Earlier, unsupported versions may also

[SECURITY] Tomcat 7 ignores @ServletSecurity annotations

2011-03-09 Thread Mark Thomas
The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still ignored when there are no security constraints defined in web.xml (a typical use case). There will be a Tomcat 7.0.11 release shortly to address this. In the meantime, the workaround of specifying at least one security

[ANN] Apache Tomcat 7.0.11 released

2011-03-11 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.11 Apache Tomcat 7.0.11 is primarily a security fix release with a small number of additional bug fixes compared to 7.0.10. Please refer to the change log for the list of changes:

[ANN] Apache Tomcat 7.0.12 released

2011-04-06 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.12. Apache Tomcat 7.0.12 includes bug fixes and the following new features compared to version 7.0.11: * initial support for SPNEGO/Kerberos authentication (also referred to as Windows authentication); * provide a

[SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass

2011-04-06 Thread Mark Thomas
CVE-2011-1183 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.11 - Earlier versions are not affected Description: A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no

[SECURITY] CVE-2011-1475 Apache Tomcat information disclosure

2011-04-06 Thread Mark Thomas
CVE-2011-1475 Apache Tomcat information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.11 - Earlier versions are not affected Description: Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests

[ANN] Apache Tomcat 7.0.16 released

2011-06-17 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.16. Apache Tomcat 7.0.16 includes bug fixes and the following new features compared to version 7.0.14: - NIO implementation of the AJP connector - Enable Servlet 3 asynchronous processing support when using

[SECURITY] CVE-2011-2526 Apache Tomcat Information disclosure and availability vulnerabilities

2011-07-13 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-2526: Apache Tomcat Information disclosure and availability vulnerabilities Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.18 Tomcat 6.0.0 to 6.0.32 Tomcat 5.5.0 to 5.0.33

[ANN] Apache Tomcat 7.0.19 released

2011-07-19 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.19 Apache Tomcat 7.0.19 includes security fixes, bug fixes and the following new features compared to version 7.0.16: - JSP recompilation is now triggered by any change (backwards as well as forwards) in the last

[ANN] End of life for Apache Tomcat 5.5.x

2011-08-10 Thread Mark Thomas
The Apache Tomcat team announces that support for Apache Tomcat 5.5.x will end on 30 September 2012. This means that after 30 September 2012: - releases from the 5.5.x branch are highly unlikely - bugs affecting only the 5.5.x branch will not be addressed - security vulnerability reports will not

[ANN] Apache Tomcat 7.0.20 released

2011-08-12 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.20 Apache Tomcat 7.0.20 includes bug fixes and the following new features and fixes compared to version 7.0.19: - JSP files with dependencies in JARs are no longer recompiled on every access thereby improving

[SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)

2011-08-12 Thread Mark Thomas
CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.19 Tomcat 6.0.30 to 6.0.32 Tomcat 5.5.32 to 5.5.33 Description: Due to a bug in the capabilities code, jsvc (the service

[SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability

2011-08-12 Thread Mark Thomas
CVE-2011-2481: Apache Tomcat information disclosure vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.16 Previous versions are not affected. Description: The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability

[SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication

2011-09-26 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.11 - - Tomcat 6.0.0 to 6.0.32 - - Tomcat 5.5.0 to 5.5.33 - -

[ANN] Apache Tomcat 7.0.22 released

2011-10-01 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.22 Apache Tomcat 7.0.22 includes bug fixes and new features compared to version 7.0.21 including: - Further improvements to the memory leak detection and prevention features. - Fix issue that prevented using SSL with

[SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app

2011-11-08 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.21 Description: This issue only affects environments running web applications that

[ANN] Apache Tomcat 7.0.23 released

2011-11-25 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.23 This release includes numerous bug fixes and several new features compared to version 7.0.22. The notable new features include: * The ability to start and stop child containers (primarily Contexts: i.e. web

[SECURITY] Apache Tomcat and the hashtable collision DoS vulnerability

2011-12-28 Thread Mark Thomas
You may have read about a recently announced vulnerability rooted in the Java hashtable implementation [1]. Since Apache Tomcat uses a hashtable for storing HTTP request parameters, it is affected by this issue. As per [1], it appears that Oracle will not be providing a fix for this vulnerability

[SECURITY] CVE-2011-3375 Apache Tomcat Information disclosure

2012-01-17 Thread Mark Thomas
CVE-2011-3375 Apache Tomcat Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.21 - Tomcat 6.0.30 to 6.0.33 - Earlier versions are not affected Description: For performance reasons, information parsed from a request is

[SECURITY] CVE-2012-0022 Apache Tomcat Denial of Service

2012-01-17 Thread Mark Thomas
CVE-2012-0022 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.22 - Tomcat 6.0.0 to 6.0.33 - Tomcat 5.5.0 to 5.5.34 - Earlier, unsupported versions may also be affected Description: Analysis of the recent hash

[ANN] Apache Tomcat 7.0.25 released

2012-01-21 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.25 This release includes numerous bug fixes and several new features compared to version 7.0.23. The notable new features include: * Align the Servlet 3.0 implementation with the changes defined in the first

[ANN] Apache Tomcat 7.0.26 released

2012-02-22 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.26 This release is primarily a bug fix release and includes numerous bug fixes compared to version 7.0.25. The notable bug fixes include: * Improved code@HandlesTypes/code processing which no longer loads all

[ANN] Apache Tomcat 7.0.27 released

2012-04-07 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.27 This release is includes significant new features as well as a number of bug fixes compared to version 7.0.26. The notable changes include: * Support for the WebSocket protocol (RFC6455). Both streaming and

[ANN] Apache Tomcat 7.0.28 released

2012-06-19 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.28. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release is includes may improvements as well as a number of bug fixes compared to version

[ANN] Apache Tomcat 7.0.30 released

2012-09-06 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.30. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains numerous bug fixes and improvements compared to version 7.0.29. The notable

[ANN] Apache Tomcat 5.5.36 released

2012-10-10 Thread Mark Thomas
The Apache Tomcat Team announces the immediate availability of Apache Tomcat 5.5.36. Apache Tomcat 5.5.36 is primarily a bug-fix release. As per the previous end of life announcement [1] this will almost certainly be the final Apache Tomcat 5.5.x release. Users of the 5.5.x series are strongly

[SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses

2012-11-05 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 - - Tomcat 5.5.0 to 5.5.35 - - Earlier, unsupported

Fwd: [ANN] Apache Tomcat 6.0.36 released

2012-11-06 Thread Mark Thomas
It has been brought to the attention of the Apache Tomcat PMC that the Tomcat 6.0.36 release announcement below was sent to the Tomcat users list and the Tomcat developers list but not the Tomcat and ASF announce lists. Please accept our apologies if you missed the Apache Tomcat 6.0.36 release

[ANN] Apache Tomcat 7.0.33 released

2012-11-21 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.33. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.32. The

CVE-2012-4534 Apache Tomcat denial of service

2012-12-04 Thread Mark Thomas
CVE-2012-4534 Apache Tomcat denial of service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.27 - Tomcat 6.0.0 to 6.0.35 Description: When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while

CVE-2012-3546 Apache Tomcat Bypass of security constraints

2012-12-04 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3546 Apache Tomcat Bypass of security constraints Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 Earlier unsupported versions may also be affected

CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter

2012-12-04 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.31 - - Tomcat 6.0.0 to 6.0.35 Description: The CSRF prevention filter could be

[ANN] Apache Tomcat 7.0.34 released

2012-12-12 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.34. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.33. The

Re: [ANN] End of life for Apache Tomcat 5.5.x

2013-01-02 Thread Mark Thomas
On 10/08/2011 13:00, Mark Thomas wrote: The Apache Tomcat team announces that support for Apache Tomcat 5.5.x will end on 30 September 2012. This means that after 30 September 2012: - releases from the 5.5.x branch are highly unlikely - bugs affecting only the 5.5.x branch

[ANN] Apache Tomcat 7.0.35 released

2013-01-16 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.35. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.34. The

[ANN] Apache Tomcat 7.0.37 released

2013-02-18 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.37. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a small number of bug fixes and improvements compared to version 7.0.35. The

[ANN] Apache Tomcat 7.0.39 released

2013-03-27 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.39. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. This release contains a number of bug fixes and improvements compared to version 7.0.37. The notable

CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException

2013-05-10 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.39 Description: Bug 54178 described a scenario where

[ANN] Apache Tomcat 7.0.40 released

2013-05-10 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.40. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a security fix and a number of bug fixes and

[SECURITY] CVE-2013-2067 Session fixation with FORM authenticator

2013-05-10 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-2067 Session fixation with FORM authenticator Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.32 - - Tomcat 6.0.21 to 6.0.36 Description: FORM authentication associates the most recent

[ANN] Apache Tomcat 7.0.41 released

2013-06-11 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.41. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a number of bug fixes and improvements compared to

[ANN] Apache Tomcat 8.0.0-RC1 (alpha) available

2013-08-06 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC1 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 8.0.0-RC3 (alpha) available

2013-09-24 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC3 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 8.0.0-RC5 (alpha) available

2013-10-21 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC5 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 8.0.0-RC10 (alpha) available

2013-12-27 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.0-RC10 (alpha). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java

[ANN] Apache Tomcat 6.0.39 released

2014-02-03 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.39 stable. Apache Tomcat 6.0.39 is primarily a security and bug fix release. The notable changes include: - Various improvements to XML configuration file validation. - Better adherence to RFC2616 for Content-Type

[SECURITY] CVE-2013-4590 Information disclosure via XXE when running untrusted web applications

2014-02-25 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4590 Information disclosure via XXE when running untrusted web applications Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache

[SECURITY] CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)

2014-02-25 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to

[SECURITY] CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled

2014-02-25 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.33 to 6.0.37 Description: Previous fixes to path parameter handling [1]

[SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)

2014-02-25 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 - - Apache Tomcat 7.0.0 to 7.0.42 - - Apache Tomcat 6.0.0 to 6.0.37

[ANNOUNCEMENT] Apache Commons DBCP 2.0 released

2014-03-04 Thread Mark Thomas
, or suggestions for improvement, see the Apache Commons DBCP website: http://commons.apache.org/proper/commons-dbcp/ Mark Thomas, on behalf of the Apache Commons community

[ANN] Apache Tomcat 8.0.5 (beta) available

2014-03-28 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.5 (beta). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java EE 7.

[ANN] Apache Tomcat 8.0.8 (beta) available

2014-05-22 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.8 (beta). Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8 is aligned with Java EE 7.

[ANN] Apache Tomcat 6.0.41 released

2014-05-25 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.41 stable. Apache Tomcat 6.0.41 is primarily a bug fix release. The notable changes include: - Add support for using ecj-P20140317-1600.jar to use Java 8 syntax in JSPs - Update native library to 1.1.30 - Various

[SECURITY] CVE-2014-0075 Apache Tomcat denial of service

2014-05-27 Thread Mark Thomas
CVE-2014-0075 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: It was possible to craft a malformed chunk size as part of a chucked

[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure

2014-05-27 Thread Mark Thomas
CVE-2014-0096 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The default servlet allows web applications to define (at multiple

[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure

2014-05-27 Thread Mark Thomas
CVE-2014-0119 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.5 - Apache Tomcat 7.0.0 to 7.0.53 - Apache Tomcat 6.0.0 to 6.0.39 Description: In limited circumstances it was possible for a malicious web

[SECURITY] CVE-2014-0095 Apache Tomcat denial of service

2014-05-27 Thread Mark Thomas
CVE-2014-0095 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 Description: A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the

[ANN] Apache Tomcat 8.0.9 (stable) available

2014-06-26 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.9, the first stable release of the 8.0.x series. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies.

[ANN] Apache Tomcat 8.0.11 (stable) available

2014-08-26 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.11. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.11 includes numerous fixes for

[ANN] Apache Tomcat 8.0.12 available

2014-09-04 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.12. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.12 includes numerous fixes for

[SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat

2014-09-10 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013- Remote Code Execution Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.39 Description: In very limited circumstances, it was possible for an attacker to upload a malicious

[ANN] Apache Tomcat Native 1.1.32 released

2014-10-28 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.32 stable. The key features of this release are: - Add support for TLSv1.1 and TLSv1.2 - Link Windows binaries with OpenSSL 1.0.1i and APR 1.5.1 Please refer to the change log for the complete list of

Re: [ANN] Apache Tomcat Native 1.1.32 released

2014-10-29 Thread Mark Thomas
On 28/10/2014 21:28, Mark Thomas wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.32 stable. The key features of this release are: - Add support for TLSv1.1 and TLSv1.2 - Link Windows binaries with OpenSSL 1.0.1i and APR 1.5.1 Correction

[ANN] Apache Tomcat 8.0.15 available

2014-11-12 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.15. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.15 includes numerous fixes for

[ANN] Apache Tomcat 6.0.43 released

2014-11-25 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.43. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a number of bug fixes and improvements compared to

[ANN] Apache Tomcat 8.0.17 available

2015-01-20 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.17. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.17 includes numerous fixes for

[SECURITY] CVE-2014-0227 Apache Tomcat Request Smuggling

2015-02-09 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0227 Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.41 Description: It was possible to

[ANN] Apache Tomcat 8.0.20 available

2015-02-24 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.20. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.20 includes numerous fixes for

[ANN] Apache Tomcat Native 1.1.33 released

2015-03-28 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.33 stable. The key features of this release are: - Fixed a crash when the poller returned multiple events for the same socket. - Link Windows binaries with OpenSSL 1.0.1m and APR 1.5.1 Please refer to the

[SECURITY] CVE-2014-0230: Apache Tomcat DoS

2015-05-05 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-0230 Denial of Service Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.43 Description: When a response for a

[ANN] Apache Tomcat 8.0.22 available

2015-05-07 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.22. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.22 includes numerous fixes for

[ANN] Apache Tomcat 6.0.44 available

2015-05-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.44. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages and Java Expression Language technologies. This release contains a number of bug fixes and improvements compared to

[SECURITY] CVE-2014-7810: Apache Tomcat Security Manager Bypass

2015-05-14 Thread Mark Thomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - Apache Tomcat 7.0.0 to 7.0.57 - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious

[ANN] End of life for Apache Tomcat 6.0.x

2015-06-03 Thread Mark Thomas
The Apache Tomcat team announces that support for Apache Tomcat 6.0.x will end on 31 December 2016. This means that after 31 December 2016: - releases from the 6.0.x branch are highly unlikely - bugs affecting only the 6.0.x branch will not be addressed - security vulnerability reports will not

[ANN] Apache Tomcat 8.0.23 available

2015-05-26 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.23. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.23 includes numerous fixes for

[ANN] Apache Tomcat Native 1.2.2 released

2015-11-10 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.2 stable. The key features of this release are: - ALPN support - SNI support - Add access methods for OpenSSL BIO - Windows binaries built with APR 1.5.1 and OpenSSL 1.0.2d - Itanium binaries no longer

[ANN] Apache Tomcat 8.0.28 available

2015-10-15 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.28. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.28 includes fixes for issues

[ANN] Apache Tomcat 8.0.24 available

2015-07-08 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.24. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.24 includes numerous fixes for

[ANN] Apache Tomcat 8.0.30 available

2015-12-07 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.30. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.30 includes fixes for issues

[ANN] Apache Tomcat Native 1.2.3 released

2015-12-16 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.3 stable. The key features of this release are: - Java keystore support. - Various fixes to align the Java and native APIs - Various fixes if building without OpenSSL - Windows binaries built with OpenSSL

[ANN] Apache Tomcat 9.0.0.M1 available

2015-11-19 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M1. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 9.0.0.M1 is the first milestone

[ANN] Apache Tomcat Native 1.2.4 released

2016-01-12 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.4 stable. The key features of this release are: - Improvements to renegotiation Note that, unless a regression is discovered in 1.2.x, users should now be using 1.2.x in preference to 1.1.x. Please refer to

[ANN] Apache Tomcat 8.0.35 available

2016-05-25 Thread Mark Thomas
Apologies for the delay in sending this out. The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.35. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies.

Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

2016-06-21 Thread Mark Thomas
Original Message From: Jochen Wiedmann Sent: 21 June 2016 10:18:15 BST To: priv...@commons.apache.org, "secur...@apache.org" , Tomcat Security List , announce@apache.org, Apache Commons Developers

[SECURITY][CORRECTION] CVE-2016-3092 Apache Tomcat Denial of Service

2016-06-22 Thread Mark Thomas
Note: This announcement corrects several errors and omissions in the Tomcat aspects of the announcement for CVE-2016-3092 from the Apache Commons project that was recently forwarded to various Apache Tomcat mailing lists. For the sake of clarity, the Tomcat specific corrections are as follows: 1.

  1   2   3   >