Roger that, thanks On Thu, Oct 18, 2018, 9:38 AM Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alex, > > On 10/18/18 11:08, Alex O'Ree wrote: > > Basically. I start with the tomcat distro, apply my changes, then > > zip it up and distribute. I'm at a situation when patches are > > preferable over a complete reinstall of my product thus the > > inquiry. I can probably just replace all the tomcat bits and be > > done with it. > > Tomcat only ships with .jar files and configuration. Feel free to just > overwrite all the JAR files with the newer Tomcat ones. It's just as > easy to replace all two-dozen of them as it would be to replace a > single one, right? > > - -chris > > > On Thu, Oct 18, 2018, 8:52 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Alex, > > > > On 10/14/18 18:06, Alex O'Ree wrote: > >>>> Is there perhaps a patch that can be applied or better yet, a > >>>> list of jars that are were affected by this? (I'm just trying > >>>> to find a simple way to patch a large volume of servers) > > > > There is nothing official. Nobody has individually identified > > which svn revisions fix this issue, so your only options really > > are: > > > > 1. Grab the previous version from source, apply all patches and > > deploy (this is the same as just grabbing the new binaries, > > assuming you trust ASF distros) > > > > 2. Grab the new binaries, determine which JARs are different > > (which may not be super-easy), then copy those to each server. But > > then you have a server which reports x.y.z but is actually x.y.z+∂ > > :( > > > > 3. Look at all the commits in ∂ and try to guess the problem. > > Then, mitigate it at e.g. reverse-proxy of WAF level. One way would > > be to prevent redirects to sites other than your own (which is > > really the big danger for open-redirects). Just look for > > sketchy-looking Location response headers. :) > > > > I'm curious how you handle upgrades in general. This certainly > > isn't the first security issue inn Tomcat that requires an update > > in your environment. How do you usually handle updates? > > > > -chris > > > >>>> On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz < > >>>> ch...@christopherschultz.net> wrote: > >>>> > >>>> Mark and Michael, > >>>> > >>>> On 10/10/18 05:15, Mark Thomas wrote: > >>>>>>> On 08/10/18 21:55, Michael Yoder wrote: > >>>>>>>> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas > >>>>>>>> <ma...@apache.org> wrote: > >>>>>>>>> CVE-2018-11784 Apache Tomcat - Open Redirect > >>>>>>>> > >>>>>>>> Is it possible to get more information on the > >>>>>>>> "specially crafted URL"? I'd like more information so > >>>>>>>> that I can test if some of our apps are vulnerable. > >>>>>>> > >>>>>>> Generally, there is a balance to strike here between > >>>>>>> making it easy for the less technically competent > >>>>>>> attackers to construct an attack and making it easy for > >>>>>>> end users to figure out if they are vulnerable. The way > >>>>>>> we typically do this is by describing the conditions > >>>>>>> necessary for an attack to be possible as completely as > >>>>>>> possible but not providing details of how to perform an > >>>>>>> attack. > >>>>>>> > >>>>>>> We also provide references to the commit that fixed > >>>>>>> the issue. For someone with the right skills, there is > >>>>>>> usually enough information in the description and the > >>>>>>> commit for a successful attack to be reverse > >>>>>>> engineered. > >>>> > >>>> It doesn't look like Sergey has posted anything (that I can > >>>> find) that might be called a full disclosure. If he had, I'd > >>>> point it out. > >>>> > >>>> If I were you, I'd just make sure that you either (a) upgrade > >>>> or (b) use the existing settings to mitigate the potential > >>>> problem, as described in the announcement. > >>>> > >>>> -chris > >>>>> > >>>>> ------------------------------------------------------------------ > - --- > >>>>> > >>>>> > > > >>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>> For additional commands, e-mail: > >>>>> users-h...@tomcat.apache.org > >>>>> > >>>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvIqP0ACgkQHPApP6U8 > pFgc9A//Qw9voOII2A/tOhYKSlyAK4psc5Cmq0Yf0DDtDYJzWYNrIHg50gXYB/lh > HnaPEYWLuhIcOHYVI/37FXiOpBLA502U4U/shY5kncA7aNvOYMM7wRd+BM5FJEOK > b6W6P2oFqc+vuJXfGknoT7Ff7CCRkRE7vBRvZH9FHxMXqrpCInl3n5/NAvgjkuHn > pA1rhCsu1+n7y6kDUhiL7HvY2SwYKfqx0WrhDfCyc9bzqPN9urP0uWZm4lJ1LP4V > +PdbtEegTLrBXUA0A5IMXmTHItmACqdDh/K9XDIkfh2201igLFLAnXjFPM72dMUx > wz0jEX/4x/cgy0GEgDG5DURyuHIP8OzuD2xPM3PdB88/DQhN8pnd7nZ6gBPEere8 > OAX+nrYNpI6MhHet6zeRAf0HBOXHDrgj86nxB9iPV02JQn5Y8tLIaVKeJ5JbH6L0 > rzlDw+0CHXxnaz+p1ZzcxDjUckZQJsAHVZa7SqSfY54Oe4keSX5dihlyi7iT7JEd > On74o+sYd2F2fhEd1QgWT3kxjhdCcgsfOAwZRX+PYCVPfx/L4vv2IyUnotzxXaoM > u267+lUkD1e6/A7pLRRcNreW8TT/C39LphdjaGmShkJzKgixr6py8j/9OmakOY8S > 8t0s/xkk3PFUGnKL7gFi/+rfTobbEM3TARRxqhmgkaqJcDB4Gg8= > =AYwn > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
