On Tue, Oct 03, 2017 at 10:55:26AM +0000, Mark Thomas wrote: >CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload > >Severity: Important > >Vendor: The Apache Software Foundation > >Versions Affected: >[...] >Apache Tomcat 8.0.0.RC1 to 8.0.46 >[...] > >Description: >When running with HTTP PUTs enabled (e.g. via setting the readonly >initialisation parameter of the Default servlet to false) it was >possible to upload a JSP file to the server via a specially crafted >request. This JSP could then be requested and any code it contained >would be executed by the server. > >Mitigation: >Users of the affected versions should apply one of the following >mitigations: >[...] >- Upgrade to Apache Tomcat 8.0.47 or later >[...]
I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat website seem to reference it yet, but it appears to be available in the distribution archive(s). E.g.: <http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.47/bin/> Is this 8.0.47 blessed for use? Aloha, -baron -- Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org