[ANN] Apache Tomcat Connectors 1.2.30 released
1
Mar/100
Mar/100
The Apache Tomcat team announces the immediate availability of Apache Tomcat Connectors 1.2.30 stable. Apache Tomcat Connectors 1.2.30 concentrates mainly on bug fixes. Please refer to the change log for the list of changes: http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-connectors.cgi Please note that syncing the release to the download mirrors might take up to 48 hours. Important Notice: Version 1.2.29 has been withdrawn from the released versions because of regression found with Microsoft IIS connector. Thank you -- The Apache Tomcat team
[ANN] Apache Tomcat Connectors 1.2.29 released
26
Feb/100
Feb/100
The Apache Tomcat team announces the immediate availability of Apache Tomcat Connectors 1.2.29 stable. Apache Tomcat Connectors 1.2.29 concentrates mainly on bug fixes. Please refer to the change log for the list of changes: http://tomcat.apache.org/connectors-doc-1.2.29/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-connectors.cgi Please note that syncing the release to the download mirrors might take up to 48 hours. Thank you, -- The Tomcat Team
[ANN] Apache Tomcat Native 1.1.20 released
17
Feb/100
Feb/100
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.20 stable. This release includes a fix for JVM crash on Tomcat shutdown. Please refer to the change log for the list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi Thank you, -- The Apache Tomcat Team
[SECURITY] CVE-2009-2901 Apache Tomcat insecure partial deploy after failed undeploy
24
Jan/100
Jan/100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2009-2901: Apache Tomcat insecure partial deploy after failed undeploy Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: By default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815&view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650&view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually ensuring that an undeploy removes all files. If one or more files cannot be deleted, it may be necessary to stop Tomcat before the files can be deleted. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGYAAoJEBDAHFovYFnnwXgP/RAhAkPwPP9R3S5xM/mtZj+l cQacLI/8FdPOluVUIYNuPP2ti3v2STJyhUMOYVMQIpf7Why4fFiLaIOLZWDS04Gb UfTQfcFIQlh69h3xQBgkEeSHNegxGLRvl8sLrhLTmaLug4qn8JW81sZnO+9PejmD CgZKCq2ALqIvNmEU7nZTz/5xzll88O+b8P5UQqDGM9r1Z8fO8oCUood1n2hVdZAb PoLn7CKqMtb2psGvYWqYDNeB5mRVhHnqUdtQzQy3Sy6C8YBxkmm9HWOZjoAvjMaa X4N5THNyhXwdfNo9r6CClEiaQM6AK+jRl8SyeNiGNgNHT3Knhn9ANVUcRomRXgJm dsKKz0wBN/zVp7ux5FLlK9O/a7VNniYMFRwg71Na9KQY6/oRlxpOU9zgWqI9Co9V LD8g0EWliabOCv3nREDYqwrJq75ffS5TwK8mqWNlW/0gszDex34kVqnS06hMY1HT OK5Ip1cYhUZLlcfwkmN6tBxBozCteO/Nrfh6HEahc0MXVJXbZxDXLvWtDNSrBMSY Hqt9suXYom1rCxtFdBDtgXctAnB4UrADRxC4w/e7kZ+v3MRMtzl1UG/6cJDQtQ9f Iwt51lECjIW6LqEpSIMTs/v5h9ueSPhY/n7GWNloSqCUgA0XL5sw5lYkGsMmS4Sh dkab23FgmsfqGqZYUGzv =vcr6 -----END PGP SIGNATURE-----
[SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory
24
Jan/100
Jan/100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR file names were not checked for directory traversal attempts. This allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815&view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650&view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2901. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: Deploying and undeploying a WAR named "...war" causes the all files and subdirectories in "work// " to be removed. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGKAAoJEBDAHFovYFnnU3sP/2qKA+k8nmXoowqeUKfgTZyg EJAtLvuTHFViDFeA7tDrh18pMzWUfPCu/sU8qXaiY71Dw6Fa8zcJ1SksP/WB4jmN UDuSj9vm5INxjbANnniSpZ5+tfLukPz9I3vFIIpmT4xO2aGnbqTUWPmVb2Oitapp ePH35D0OldLIL8O4TmdTK5LPw/qufbvEtegTlryJeyO9kWvqmK54W2cs60i+txiD zwzoRJgmNd7e/DS8+jrGrSFgLiFQlEQraQ99OvvU9bi7DofEUA1HuxPV94Ck8oMc xbcNlAgSMuqc0PuIff68rXP3M/4M96j/BFRRLsAqUPfXBZQBZ6vc/uOVG2JriIQU psksw1zTf8pbUTtuY6EUry3SspTHWcMGJfoxtrXa0nVxGnTg5XI/joipbCbbcF6p 0npKt3IIEH6JYtZ2DbSO0w6QjFnCVV5v0mB1LrMQDy0SzfcYf6G0MnmD6hLYNsdz 83TRgicGCfcSqZdiZDJ2Kngwnjl/oHYx2A1SVOc4q0NoIlFnzF9qMqiLM5hM87LT 3FaFsDmeFwhUxo4JRGAFA+ft1UrYufCvCQy+ZW6fxPIW2Qz9aEq63MDVojdd2yf7 Z9JApNAiO6q1cJukOaworJiv1cbcZHp0SaWDJQIo4VFT2APD2DFU79vCseIusX4e jcy9btzWclss+2hAA/XQ =kJa8 -----END PGP SIGNATURE-----
[SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration
24
Jan/100
Jan/100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815&view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650&view=rev Note: the patches also address CVE-2009-2901 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: A WAR file that contains the following entry will overwrite the standard Windows start-up script when deployed on a default Tomcat installation: ../../bin/catalina.bat Credit: This issue was reported to the Apache Tomcat security team by Marc Schoenefeld of the Red Hat Security Response Team References: [1] http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI 6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+ ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1 Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL 7iN004jxhnUxQc8Fgwj4 =/B5h -----END PGP SIGNATURE-----
[ANN] Apache Tomcat Native 1.1.19 released
21
Jan/100
Jan/100
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.19 stable. This release include few minor fixes over Tomcat Native 1.1.18. Please refer to the change log for the list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi Thank you, -- The Apache Tomcat Team
[ANN] Apache Tomcat 4.1.40 stable is now available
26
Jun/090
Jun/090
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat 4.1.40 stable. This build contains a small number of bug fixes
and two important and three low severity security fixes.
Please refer to the release notes for a complete list of changes.
Apache Tomcat 4 is an implementation of the Java Server Pages 1.2 and
Java Servlet 2.3 specifications.
Apache Tomcat 4.1.40 is very likely to be the last release of the 4.1.x
series. Users should be aware that if further security vulnerabilities
are reported in Apache Tomcat, the 4.1.x series will not be reviewed to
determine if the 4.1.x series is affected, neither will a further
release containing a security fix be made for the 4.1.x series. Users
still using the 4.1.x series are strongly encouraged to upgrade to the
latest stable release of the 6.0.x series, 6.0.20.
All Apache Tomcat releases will always be available from the Apache
archives.
Downloads: http://tomcat.apache.org/download-41.cgi
Security information: http://tomcat.apache.org/security-4.html
The Apache Tomcat Team
Cryptographic software notice
=============================
This distribution includes cryptographic software. The country in
which you currently reside may have restrictions on the import,
possession, use, and/or re-export to another country, of
encryption software. BEFORE using any encryption software, please
check your country's laws, regulations and policies concerning the
import, possession, or use, and re-export of encryption software, to
see if this is permitted. See