> On Oct 30, 2013, at 8:36 AM, "kanishk.se...@accenture.com" > <kanishk.se...@accenture.com> wrote: > > Hi Team, > > As per our security team we need to install the below patches on multiple > servers to remove vulnerabilities. > > Below is the information we have received from our security team, Need your > support to have a detailed impact analysis on the compatibility of the below > patches. > > Apache Tomcat is a container for Java Servlet and Java Server Pages Web > applications. Multiple vulnerabilities present in some versions of Apache > Tomcat could lead to denial of service. > Multiple flaws are present in Tomcat, which fails to handle invalid > Transfer-Encoding header request that prevents buffer recycling. Successful > exploitation could allow an attacker to gain sensitive information or cause a > denial of service condition on the affected system. > > http://svn.apache.org/viewvc?view=revision&revision=958911 > http://svn.apache.org/viewvc?view=revision&revision=958977 > http://svn.apache.org/viewvc?view=revision&revision=959428 > http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 > http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584&actionBtn=Search
Then I would recommend you test your apps with a version of Tomcat that implements these "patches" and then upgrade your servers. FWIW, Tomcat doesn't do patches. They fix issues and vulnerabilities and then release a new version. Applying patches therefore means upgrading your version of Tomcat. You should be able to go to the latest release in the version you use w/o any hassle (e.g. 7.0.21 -> 7.0.47). Now ... if you are using one of the many third party re-package versions, they do "patches" and you'll have to push them for a package that addresses these vulnerabilities. -- David --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org