You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Nithiyanandam BALASUBRAMANIYAN (Oneberry)" <ni...@oneberry.com> on 2023/11/07 01:21:55 UTC
Vulnerabilities Patches
Hi ,
I am using Tomcat Apache Version 8.5.94 in Windows server 2012. Recently received following vulnerabilities alert to fix :
1. Request smuggling CVE-2023-45648<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45648>
2. Denial of Service CVE-2023-44487<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487>
3. Denial of Service CVE-2023-42794<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794>
4. Information Disclosure CVE-2023-42795<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42795>
Can help to let me know the steps how to fix these vulnerabilities for my current version in windows.
Thanks
?Best regards,
Nithi,
Head Ops, Commercial and Industrial,
Product Management and SW apps
Mobile:92487954
Oneberry Technologies Pte Ltd
Web: www.oneberry.com<http://www.oneberry.com/>
Tel: (65) 6692 6760 | Fax: (65) 6280 2921
Address: One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151
[cid:image001.png@01DA115B.DA13D580]<http://www.oneberry.com/>
Re: Vulnerabilities Patches
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Nithiyanandam,
On 11/8/23 22:06, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
> I want to upgrade form 8.5.94 to 8.5.95. is it the easiest way to
> upgrade ? like I seen the jar file copy from old version to new
> version. Sorry I am new to apache
I would highly recommend against simply copying "the JARs". You may
sometimes be able to get away with that, but it's best to leave Tomcat's
installation directory untouched to make sure you have all the resources
Tomcat is expecting to find there.
-chris
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, November 9, 2023 4:34 AM
> To: users@tomcat.apache.org
> Subject: Re: Vulnerabilities Patches
>
> All,
>
> On 11/6/23 20:32, James H. H. Lampert wrote:
>> On 11/6/23 5:21 PM, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>>> I am using Tomcat Apache Version 8.5.94 in Windows server 2012.
>>> Recently received following vulnerabilities alert to fix :
>>
>> Short answer: you're already there. And the latest Tomcat 8 (which I
>> just bumped a customer up to) is 8.5.95.
>>
>> On an IBM Midrange box, I just manually copy the keystore, our
>> webapps, and certain configuration settings over from the old version
>> to the new version, then find a good time to switch the customer over
>> (which involves shutting down the old Tomcat, renaming the old and new
>> Tomcat directories, and restarting it with the new version in place.
>> Piece of cake.
>>
>> I understand that Linux, WinDoze, and Mac have ways to bump up the
>> Tomcat version that are even easier.
>
> https://tomcat.apache.org/presentations.html#latest-split-installation
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Vulnerabilities Patches
Posted by "Nithiyanandam BALASUBRAMANIYAN (Oneberry)" <ni...@oneberry.com>.
Thank for the reply,
I want to upgrade form 8.5.94 to 8.5.95. is it the easiest way to upgrade ? like I seen the jar file copy from old version to new version. Sorry I am new to apache
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, November 9, 2023 4:34 AM
To: users@tomcat.apache.org
Subject: Re: Vulnerabilities Patches
All,
On 11/6/23 20:32, James H. H. Lampert wrote:
> On 11/6/23 5:21 PM, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>> I am using Tomcat Apache Version 8.5.94 in Windows server 2012.
>> Recently received following vulnerabilities alert to fix :
>
> Short answer: you're already there. And the latest Tomcat 8 (which I
> just bumped a customer up to) is 8.5.95.
>
> On an IBM Midrange box, I just manually copy the keystore, our
> webapps, and certain configuration settings over from the old version
> to the new version, then find a good time to switch the customer over
> (which involves shutting down the old Tomcat, renaming the old and new
> Tomcat directories, and restarting it with the new version in place.
> Piece of cake.
>
> I understand that Linux, WinDoze, and Mac have ways to bump up the
> Tomcat version that are even easier.
https://tomcat.apache.org/presentations.html#latest-split-installation
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerabilities Patches
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
On 11/6/23 20:32, James H. H. Lampert wrote:
> On 11/6/23 5:21 PM, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>> I am using Tomcat Apache Version 8.5.94 in Windows server 2012.
>> Recently received following vulnerabilities alert to fix :
>
> Short answer: you're already there. And the latest Tomcat 8 (which I
> just bumped a customer up to) is 8.5.95.
>
> On an IBM Midrange box, I just manually copy the keystore, our webapps,
> and certain configuration settings over from the old version to the new
> version, then find a good time to switch the customer over (which
> involves shutting down the old Tomcat, renaming the old and new Tomcat
> directories, and restarting it with the new version in place. Piece of
> cake.
>
> I understand that Linux, WinDoze, and Mac have ways to bump up the
> Tomcat version that are even easier.
https://tomcat.apache.org/presentations.html#latest-split-installation
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerabilities Patches
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>.
On 11/6/23 5:21 PM, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
> I am using Tomcat Apache Version 8.5.94 in Windows server 2012. Recently received following vulnerabilities alert to fix :
Short answer: you're already there. And the latest Tomcat 8 (which I
just bumped a customer up to) is 8.5.95.
On an IBM Midrange box, I just manually copy the keystore, our webapps,
and certain configuration settings over from the old version to the new
version, then find a good time to switch the customer over (which
involves shutting down the old Tomcat, renaming the old and new Tomcat
directories, and restarting it with the new version in place. Piece of cake.
I understand that Linux, WinDoze, and Mac have ways to bump up the
Tomcat version that are even easier.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerabilities Patches
Posted by Chuck Caldarale <n8...@gmail.com>.
> On Nov 6, 2023, at 19:27, Nithiyanandam BALASUBRAMANIYAN (Oneberry) <ni...@oneberry.com> wrote:
>
> May I know how to apply to windows as my system is no internet allowed. Thanks
If you’re running 8.5.94, those four CVEs are already fixed in that version.
- Chuck
> -----Original Message-----
> From: Evan Rempel <er...@uvic.ca>
> Sent: Tuesday, November 7, 2023 9:24 AM
> To: users@tomcat.apache.org
> Subject: Re: Vulnerabilities Patches
>
> https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94
>
> On 2023-11-06 17:21, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>>
>> Hi ,
>>
>> I am using Tomcat Apache Version 8.5.94 in Windows server 2012.
>> Recently received following vulnerabilities alert to fix :
>>
>> 1. *Request smuggling*CVE-2023-45648
>> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45648>
>> 2. *Denial of Service*CVE-2023-44487
>> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487>
>> 3. *Denial of Service*CVE-2023-42794
>> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794>
>> 4. * Information Disclosure*CVE-2023-42795
>> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42795>
>>
>> Can help to let me know the steps how to fix these vulnerabilities for
>> my current version in windows.
>>
>> Thanks
>>
>> ?Best regards,
>>
>> Nithi,
>>
>> Head Ops, Commercial and Industrial,
>>
>> Product Management and SW apps
>>
>> Mobile:92487954
>>
>> *Oneberry Technologies Pte Ltd*
>>
>> *Web: *www.oneberry.com <http://www.oneberry.com/>
>>
>> *Tel: *(65) 6692 6760 | *Fax: *(65) 6280 2921
>>
>> *Address: *One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151
>>
>> <http://www.oneberry.com/>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Vulnerabilities Patches
Posted by "Nithiyanandam BALASUBRAMANIYAN (Oneberry)" <ni...@oneberry.com>.
Hi Even,
Thanks for the reply.
May I know how to apply to windows as my system is no internet allowed. Thanks
-----Original Message-----
From: Evan Rempel <er...@uvic.ca>
Sent: Tuesday, November 7, 2023 9:24 AM
To: users@tomcat.apache.org
Subject: Re: Vulnerabilities Patches
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94
On 2023-11-06 17:21, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>
> Hi ,
>
> I am using Tomcat Apache Version 8.5.94 in Windows server 2012.
> Recently received following vulnerabilities alert to fix :
>
> 1. *Request smuggling*CVE-2023-45648
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45648>
> 2. *Denial of Service*CVE-2023-44487
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487>
> 3. *Denial of Service*CVE-2023-42794
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794>
> 4. * Information Disclosure*CVE-2023-42795
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42795>
>
> Can help to let me know the steps how to fix these vulnerabilities for
> my current version in windows.
>
> Thanks
>
> ?Best regards,
>
> Nithi,
>
> Head Ops, Commercial and Industrial,
>
> Product Management and SW apps
>
> Mobile:92487954
>
> *Oneberry Technologies Pte Ltd*
>
> *Web: *www.oneberry.com <http://www.oneberry.com/>
>
> *Tel: *(65) 6692 6760 | *Fax: *(65) 6280 2921
>
> *Address: *One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151
>
> <http://www.oneberry.com/>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerabilities Patches
Posted by Evan Rempel <er...@uvic.ca>.
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94
On 2023-11-06 17:21, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>
> Hi ,
>
> I am using Tomcat Apache Version 8.5.94 in Windows server 2012.
> Recently received following vulnerabilities alert to fix :
>
> 1. *Request smuggling*CVE-2023-45648
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45648>
> 2. *Denial of Service*CVE-2023-44487
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487>
> 3. *Denial of Service*CVE-2023-42794
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794>
> 4. * Information Disclosure*CVE-2023-42795
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42795>
>
> Can help to let me know the steps how to fix these vulnerabilities for
> my current version in windows.
>
> Thanks
>
> ?Best regards,
>
> Nithi,
>
> Head Ops, Commercial and Industrial,
>
> Product Management and SW apps
>
> Mobile:92487954
>
> *Oneberry Technologies Pte Ltd*
>
> *Web: *www.oneberry.com <http://www.oneberry.com/>
>
> *Tel: *(65) 6692 6760 | *Fax: *(65) 6280 2921
>
> *Address: *One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151
>
> <http://www.oneberry.com/>
>