You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Kreuser, Peter" <pk...@airplus.com> on 2015/07/16 13:16:59 UTC
Question concerning mod_jk Security Fix CVE-2014-8111
Please let me repeat my question from June 6th:
Why is this CVE still not addressed in "Apache Tomcat JK Connectors vulnerabilities" http://tomcat.apache.org/security-jk.html?
http://www.cvedetails.com/cve/CVE-2014-8111/
---------------------------------
Hi,
could you please tell us, when the fixed mod_jk-Version 1.2.41 will be publicly available?
The webpage does not mention any vulnerability at all, plus no newer release than the vulnerable 1.2.40.
For now RedHat mentions only the fix to the source code from December 2014.
http://svn.apache.org/viewvc?view=revision&revision=1647017
Best regards.
Peter
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 8. August 2015 14:11:11 MESZ, schrieb Christopher Schultz <ch...@christopherschultz.net>:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Chinoy,
>
>On 8/5/15 4:39 AM, Chinoy Gupta wrote:
>> When can we expect the release of JK 1.2.41 source code?
>
>Well, you can get your hands on it right now: svn trunk is always
>available.
+1
>
>Or you can wait for the vote to finish... I believe we have 3 votes to
>release.
But only two of them are binding.
Sorry,
Felix
>
>http://tomcat.markmail.org/thread/evury5r6rwcls5df
>
>- -chris
>
>> -----Original Message----- From: Mark Thomas
>> [mailto:markt@apache.org] Sent: Sunday, July 26, 2015 10:16 PM To:
>> Tomcat Users List <us...@tomcat.apache.org> Subject: Re: AW:
>> Question concerning mod_jk Security Fix CVE-2014-8111
>>
>> On 20/07/2015 10:58, Kreuser, Peter wrote:
>>
>> <snip/>
>>
>>> Hi Mark,
>>>
>>> I appreciate your open comment and that clarifies the lengthy
>>> wait. I trust that now the solution gets going and will be solved
>>> soonish.
>>>
>>> I'm in no position to criticize any wrongdoing on this CVE. I
>>> only hope to find a clearer communication on the tomcat-security
>>> sites in the future and if THAT is RedHat's fault, then please
>>> clean up the process with them.
>>
>> I've just updated the JK security page on the Tomcat web site.
>>
>> To be clear, keeping this page up to date is entire the
>> responsibility of the Tomcat committers. We dropped the ball on
>> this one. That said, I had hoped - much like I hoped with the
>> release - that RedHat would have directed one of their employees
>> who is a committer to do the update. When that didn't happen pretty
>> much immediately, we (the Tomcat committers) should have done it.
>>
>> I've read through the release docs and I should be able to get a
>> 1.2.41 source release out. I'm planning on doing that next. Binary
>> releases are going to have to wait for other folks to contribute
>> them.
>>
>> Cheers,
>>
>> Mark
>>
>>> Thank You. Best regards,
>>>
>>> Peter
>>>
>>> PS: is that the correct position to add my response?
>>
>> Yes, it was.
>>
>> ---------------------------------------------------------------------
>>
>>
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>>
>>
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>-----BEGIN PGP SIGNATURE-----
>Comment: GPGTools - http://gpgtools.org
>
>iQIcBAEBCAAGBQJVxfHfAAoJEBzwKT+lPKRYPy8P/jN1cMPMQNXF7HCL9x9VC2o0
>MoQK05eZ1EKj/hdI94kxr1Zz9tfFkm3Ud2XgMLIwexTpSwuIfkMRh4QREHGuAojO
>sCzufygPc6Yb8Tf+HNDCi6GEqJy1SGB3inM4glgKWxuDugh+f8Kl+ZOKFBkeHeYV
>Tjo900rLdQotxHI+RzUK/74Jua/He8Dtlne4XFoiCfpmqfIzwRtNmWJ2N9gWYpCn
>fcpbQ0S4Hqw7YH6gzutDSgWiT/vlftx/5ynX9ybgSSFqVLsGmIxoTJMSot8/Rv0R
>BlumYGTMfvf+NhzwCJSPab3xzcQsdYp8ObucuQp4FfKzh2i2R1VuT+cxZcuG04aT
>69pE61DY6QOZUz6n8gCpzEaNTIYSA13ktS7qQQN1L2ik0HwapLaAx+xaIP7h58B1
>yS6Q2N8Lm2k5UOqIEO+Nev6ZwnYHLIb7rdllpJiia+4t9eLfFrMWE/It8Tg9WE7q
>t+wi0YFZDV8iB4c/2IBSN2xEUBcasUzfj2M0QOPVkNblPVtKkH0C9tqzukPLXRG2
>VMtgpZwk1QWAPTi3Ghl1aKzhgvjGvzrrFfsLgxQDz4blg8TAzxuV1hn6pMUQxnsd
>luxCMprIXUt5IL2UJejGnqLKKWUkXCuC0anxV9yQTMGWNr9CZlVKVJYEALPUJOLC
>u5RWsrWcctsQauIZJQg0
>=GPIs
>-----END PGP SIGNATURE-----
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Mark Thomas <ma...@apache.org>.
On 11/08/2015 20:03, Christopher Schultz wrote:
> Chinoy,
>
> On 8/8/15 10:47 AM, Chinoy Gupta wrote:
>> Is the trunk stable?
>
> Fairly. But there is a tag for 1.2.41 if you'd rather use that. It's
> not yet an official ASF release, though.
But it does have 3 +1 binding votes to release and it is going to be
official later today or tomorrow. Details on the dev list until the
official announcement.
Mark
>
> -chris
>
>> On Sat, Aug 08, 2015 at 5:42 pm, Christopher Schultz
>> <ch...@christopherschultz.net>>
>> wrote:
>
>
>> Chinoy,
>
>> On 8/5/15 4:39 AM, Chinoy Gupta wrote:
>>> When can we expect the release of JK 1.2.41 source code?
>
>> Well, you can get your hands on it right now: svn trunk is always
>> available.
>
>> Or you can wait for the vote to finish... I believe we have 3 votes
>> to release.
>
>> http://tomcat.markmail.org/thread/evury5r6rwcls5df
>
>> -chris
>
>>> -----Original Message----- From: Mark Thomas
>>> [mailto:markt@apache.org] Sent: Sunday, July 26, 2015 10:16 PM
>>> To: Tomcat Users List <us...@tomcat.apache.org> Subject: Re: AW:
>>> Question concerning mod_jk Security Fix CVE-2014-8111
>
>>> On 20/07/2015 10:58, Kreuser, Peter wrote:
>
>>> <snip/>
>
>>>> Hi Mark,
>>>>
>>>> I appreciate your open comment and that clarifies the lengthy
>>>> wait. I trust that now the solution gets going and will be
>>>> solved soonish.
>>>>
>>>> I'm in no position to criticize any wrongdoing on this CVE. I
>>>> only hope to find a clearer communication on the
>>>> tomcat-security sites in the future and if THAT is RedHat's
>>>> fault, then please clean up the process with them.
>
>>> I've just updated the JK security page on the Tomcat web site.
>
>>> To be clear, keeping this page up to date is entire the
>>> responsibility of the Tomcat committers. We dropped the ball on
>>> this one. That said, I had hoped - much like I hoped with the
>>> release - that RedHat would have directed one of their employees
>>> who is a committer to do the update. When that didn't happen
>>> pretty much immediately, we (the Tomcat committers) should have
>>> done it.
>
>>> I've read through the release docs and I should be able to get a
>>> 1.2.41 source release out. I'm planning on doing that next.
>>> Binary releases are going to have to wait for other folks to
>>> contribute them.
>
>>> Cheers,
>
>>> Mark
>
>>>> Thank You. Best regards,
>>>>
>>>> Peter
>>>>
>>>> PS: is that the correct position to add my response?
>
>>> Yes, it was.
>
>>> ---------------------------------------------------------------------
>
>>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>>> ---------------------------------------------------------------------
>
>>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chinoy,
On 8/8/15 10:47 AM, Chinoy Gupta wrote:
> Is the trunk stable?
Fairly. But there is a tag for 1.2.41 if you'd rather use that. It's
not yet an official ASF release, though.
- -chris
> On Sat, Aug 08, 2015 at 5:42 pm, Christopher Schultz
> <ch...@christopherschultz.net>>
> wrote:
>
>
> Chinoy,
>
> On 8/5/15 4:39 AM, Chinoy Gupta wrote:
>> When can we expect the release of JK 1.2.41 source code?
>
> Well, you can get your hands on it right now: svn trunk is always
> available.
>
> Or you can wait for the vote to finish... I believe we have 3 votes
> to release.
>
> http://tomcat.markmail.org/thread/evury5r6rwcls5df
>
> -chris
>
>> -----Original Message----- From: Mark Thomas
>> [mailto:markt@apache.org] Sent: Sunday, July 26, 2015 10:16 PM
>> To: Tomcat Users List <us...@tomcat.apache.org> Subject: Re: AW:
>> Question concerning mod_jk Security Fix CVE-2014-8111
>
>> On 20/07/2015 10:58, Kreuser, Peter wrote:
>
>> <snip/>
>
>>> Hi Mark,
>>>
>>> I appreciate your open comment and that clarifies the lengthy
>>> wait. I trust that now the solution gets going and will be
>>> solved soonish.
>>>
>>> I'm in no position to criticize any wrongdoing on this CVE. I
>>> only hope to find a clearer communication on the
>>> tomcat-security sites in the future and if THAT is RedHat's
>>> fault, then please clean up the process with them.
>
>> I've just updated the JK security page on the Tomcat web site.
>
>> To be clear, keeping this page up to date is entire the
>> responsibility of the Tomcat committers. We dropped the ball on
>> this one. That said, I had hoped - much like I hoped with the
>> release - that RedHat would have directed one of their employees
>> who is a committer to do the update. When that didn't happen
>> pretty much immediately, we (the Tomcat committers) should have
>> done it.
>
>> I've read through the release docs and I should be able to get a
>> 1.2.41 source release out. I'm planning on doing that next.
>> Binary releases are going to have to wait for other folks to
>> contribute them.
>
>> Cheers,
>
>> Mark
>
>>> Thank You. Best regards,
>>>
>>> Peter
>>>
>>> PS: is that the correct position to add my response?
>
>> Yes, it was.
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>> ---------------------------------------------------------------------
>
>>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVykcAAAoJEBzwKT+lPKRYCcwP/3VYNR7MjvEre/is4R3X4nIS
WXyXLTDZv17XiHnmKqO6xxvVmZmApYyhnbAotoTpWuruvreundZSBWG/b/EBn9vM
pujHrh3H1fbgTND8m8uw93TAQDuZC9j4WpYWtM4Wi8GiSl56eMMKDdpCI1Qizm3m
3JFXH1J7Ae2GDCfqcs99k1CNAhaUM4vuhifWC4QDCv1LOpimw9zgeIsGkvBGjpeQ
foxsSScs9c7HNHG4YrBn4kUmpAoxjotZuFfdytVHw9DvhXrLekNey/Me12ScO+H2
wYX7BDgUy5bP1C79Oa4ZmQdakIK8AADOxvZ8r2HCz0HP7yfTcJlBS38OyEY/ydZo
RM6cbgub1gcz5G4MIzCtC4u3auHuseY4jf4I08UH+BIeXCfLhvjlMKwGs4x0gsue
xvDG6HGrC57kcrI5XEy9EqtP4EWC4Jf02qDVP5D0ZC1a8QpFif959wek4ggsrXPJ
sLuX9NH1iIujhwueKRFLMUXepDUrMHMaEulm5bq3ooujuxymkoCjZgSnjtP2HH2b
sbaD5YpZEFGmxkNSGALM/qJ7s7VQxASmy8Ts/xvJrDrythRbUScBp4F+ht6dbpKz
HOShn1G6O/VnhvqaFdjM1l0cz90GMJD+jgoRILELRBbAToVSdnXtGhyy6zcxQZoA
44ykdrhWQrf0mWkmB0Vr
=n7w0
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Chinoy Gupta <cg...@adobe.com>.
Chris,
Is the trunk stable?
Regards,
Chinoy
On Sat, Aug 08, 2015 at 5:42 pm, Christopher Schultz <ch...@christopherschultz.net>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chinoy,
On 8/5/15 4:39 AM, Chinoy Gupta wrote:
> When can we expect the release of JK 1.2.41 source code?
Well, you can get your hands on it right now: svn trunk is always
available.
Or you can wait for the vote to finish... I believe we have 3 votes to
release.
http://tomcat.markmail.org/thread/evury5r6rwcls5df
- -chris
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: Sunday, July 26, 2015 10:16 PM To:
> Tomcat Users List <us...@tomcat.apache.org> Subject: Re: AW:
> Question concerning mod_jk Security Fix CVE-2014-8111
>
> On 20/07/2015 10:58, Kreuser, Peter wrote:
>
> <snip/>
>
>> Hi Mark,
>>
>> I appreciate your open comment and that clarifies the lengthy
>> wait. I trust that now the solution gets going and will be solved
>> soonish.
>>
>> I'm in no position to criticize any wrongdoing on this CVE. I
>> only hope to find a clearer communication on the tomcat-security
>> sites in the future and if THAT is RedHat's fault, then please
>> clean up the process with them.
>
> I've just updated the JK security page on the Tomcat web site.
>
> To be clear, keeping this page up to date is entire the
> responsibility of the Tomcat committers. We dropped the ball on
> this one. That said, I had hoped - much like I hoped with the
> release - that RedHat would have directed one of their employees
> who is a committer to do the update. When that didn't happen pretty
> much immediately, we (the Tomcat committers) should have done it.
>
> I've read through the release docs and I should be able to get a
> 1.2.41 source release out. I'm planning on doing that next. Binary
> releases are going to have to wait for other folks to contribute
> them.
>
> Cheers,
>
> Mark
>
>> Thank You. Best regards,
>>
>> Peter
>>
>> PS: is that the correct position to add my response?
>
> Yes, it was.
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVxfHfAAoJEBzwKT+lPKRYPy8P/jN1cMPMQNXF7HCL9x9VC2o0
MoQK05eZ1EKj/hdI94kxr1Zz9tfFkm3Ud2XgMLIwexTpSwuIfkMRh4QREHGuAojO
sCzufygPc6Yb8Tf+HNDCi6GEqJy1SGB3inM4glgKWxuDugh+f8Kl+ZOKFBkeHeYV
Tjo900rLdQotxHI+RzUK/74Jua/He8Dtlne4XFoiCfpmqfIzwRtNmWJ2N9gWYpCn
fcpbQ0S4Hqw7YH6gzutDSgWiT/vlftx/5ynX9ybgSSFqVLsGmIxoTJMSot8/Rv0R
BlumYGTMfvf+NhzwCJSPab3xzcQsdYp8ObucuQp4FfKzh2i2R1VuT+cxZcuG04aT
69pE61DY6QOZUz6n8gCpzEaNTIYSA13ktS7qQQN1L2ik0HwapLaAx+xaIP7h58B1
yS6Q2N8Lm2k5UOqIEO+Nev6ZwnYHLIb7rdllpJiia+4t9eLfFrMWE/It8Tg9WE7q
t+wi0YFZDV8iB4c/2IBSN2xEUBcasUzfj2M0QOPVkNblPVtKkH0C9tqzukPLXRG2
VMtgpZwk1QWAPTi3Ghl1aKzhgvjGvzrrFfsLgxQDz4blg8TAzxuV1hn6pMUQxnsd
luxCMprIXUt5IL2UJejGnqLKKWUkXCuC0anxV9yQTMGWNr9CZlVKVJYEALPUJOLC
u5RWsrWcctsQauIZJQg0
=GPIs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chinoy,
On 8/5/15 4:39 AM, Chinoy Gupta wrote:
> When can we expect the release of JK 1.2.41 source code?
Well, you can get your hands on it right now: svn trunk is always
available.
Or you can wait for the vote to finish... I believe we have 3 votes to
release.
http://tomcat.markmail.org/thread/evury5r6rwcls5df
- -chris
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: Sunday, July 26, 2015 10:16 PM To:
> Tomcat Users List <us...@tomcat.apache.org> Subject: Re: AW:
> Question concerning mod_jk Security Fix CVE-2014-8111
>
> On 20/07/2015 10:58, Kreuser, Peter wrote:
>
> <snip/>
>
>> Hi Mark,
>>
>> I appreciate your open comment and that clarifies the lengthy
>> wait. I trust that now the solution gets going and will be solved
>> soonish.
>>
>> I'm in no position to criticize any wrongdoing on this CVE. I
>> only hope to find a clearer communication on the tomcat-security
>> sites in the future and if THAT is RedHat's fault, then please
>> clean up the process with them.
>
> I've just updated the JK security page on the Tomcat web site.
>
> To be clear, keeping this page up to date is entire the
> responsibility of the Tomcat committers. We dropped the ball on
> this one. That said, I had hoped - much like I hoped with the
> release - that RedHat would have directed one of their employees
> who is a committer to do the update. When that didn't happen pretty
> much immediately, we (the Tomcat committers) should have done it.
>
> I've read through the release docs and I should be able to get a
> 1.2.41 source release out. I'm planning on doing that next. Binary
> releases are going to have to wait for other folks to contribute
> them.
>
> Cheers,
>
> Mark
>
>> Thank You. Best regards,
>>
>> Peter
>>
>> PS: is that the correct position to add my response?
>
> Yes, it was.
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVxfHfAAoJEBzwKT+lPKRYPy8P/jN1cMPMQNXF7HCL9x9VC2o0
MoQK05eZ1EKj/hdI94kxr1Zz9tfFkm3Ud2XgMLIwexTpSwuIfkMRh4QREHGuAojO
sCzufygPc6Yb8Tf+HNDCi6GEqJy1SGB3inM4glgKWxuDugh+f8Kl+ZOKFBkeHeYV
Tjo900rLdQotxHI+RzUK/74Jua/He8Dtlne4XFoiCfpmqfIzwRtNmWJ2N9gWYpCn
fcpbQ0S4Hqw7YH6gzutDSgWiT/vlftx/5ynX9ybgSSFqVLsGmIxoTJMSot8/Rv0R
BlumYGTMfvf+NhzwCJSPab3xzcQsdYp8ObucuQp4FfKzh2i2R1VuT+cxZcuG04aT
69pE61DY6QOZUz6n8gCpzEaNTIYSA13ktS7qQQN1L2ik0HwapLaAx+xaIP7h58B1
yS6Q2N8Lm2k5UOqIEO+Nev6ZwnYHLIb7rdllpJiia+4t9eLfFrMWE/It8Tg9WE7q
t+wi0YFZDV8iB4c/2IBSN2xEUBcasUzfj2M0QOPVkNblPVtKkH0C9tqzukPLXRG2
VMtgpZwk1QWAPTi3Ghl1aKzhgvjGvzrrFfsLgxQDz4blg8TAzxuV1hn6pMUQxnsd
luxCMprIXUt5IL2UJejGnqLKKWUkXCuC0anxV9yQTMGWNr9CZlVKVJYEALPUJOLC
u5RWsrWcctsQauIZJQg0
=GPIs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Chinoy Gupta <cg...@adobe.com>.
Hi,
When can we expect the release of JK 1.2.41 source code?
Regards,
Chinoy
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Sunday, July 26, 2015 10:16 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
On 20/07/2015 10:58, Kreuser, Peter wrote:
<snip/>
> Hi Mark,
>
> I appreciate your open comment and that clarifies the lengthy wait. I
> trust that now the solution gets going and will be solved soonish.
>
> I'm in no position to criticize any wrongdoing on this CVE. I only
> hope to find a clearer communication on the tomcat-security sites in
> the future and if THAT is RedHat's fault, then please clean up the
> process with them.
I've just updated the JK security page on the Tomcat web site.
To be clear, keeping this page up to date is entire the responsibility of the Tomcat committers. We dropped the ball on this one. That said, I had hoped - much like I hoped with the release - that RedHat would have directed one of their employees who is a committer to do the update.
When that didn't happen pretty much immediately, we (the Tomcat
committers) should have done it.
I've read through the release docs and I should be able to get a 1.2.41 source release out. I'm planning on doing that next. Binary releases are going to have to wait for other folks to contribute them.
Cheers,
Mark
> Thank You. Best regards,
>
> Peter
>
> PS: is that the correct position to add my response?
Yes, it was.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Mark Thomas <ma...@apache.org>.
On 20/07/2015 10:58, Kreuser, Peter wrote:
<snip/>
> Hi Mark,
>
> I appreciate your open comment and that clarifies the lengthy wait. I
> trust that now the solution gets going and will be solved soonish.
>
> I'm in no position to criticize any wrongdoing on this CVE. I only
> hope to find a clearer communication on the tomcat-security sites in
> the future and if THAT is RedHat's fault, then please clean up the
> process with them.
I've just updated the JK security page on the Tomcat web site.
To be clear, keeping this page up to date is entire the responsibility
of the Tomcat committers. We dropped the ball on this one. That said, I
had hoped - much like I hoped with the release - that RedHat would have
directed one of their employees who is a committer to do the update.
When that didn't happen pretty much immediately, we (the Tomcat
committers) should have done it.
I've read through the release docs and I should be able to get a 1.2.41
source release out. I'm planning on doing that next. Binary releases are
going to have to wait for other folks to contribute them.
Cheers,
Mark
> Thank You. Best regards,
>
> Peter
>
> PS: is that the correct position to add my response?
Yes, it was.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by "Kreuser, Peter" <pk...@airplus.com>.
> -----Ursprüngliche Nachricht-----
> Von: Mark Thomas [mailto:markt@apache.org]
> Gesendet: Freitag, 17. Juli 2015 12:33
> An: Tomcat Users List
> Betreff: Re: Question concerning mod_jk Security Fix CVE-2014-8111
>
> On 16/07/2015 13:16, Kreuser, Peter wrote:
> > Please let me repeat my question from June 6th:
> >
> > Why is this CVE still not addressed in "Apache Tomcat JK Connectors vulnerabilities" http://tomcat.apache.org/security-jk.html?
> >
> > http://www.cvedetails.com/cve/CVE-2014-8111/
>
> I'm a project committer but this is my personal view. It is not an
> official project view.
>
> The information on that CVE was leaked by RedHat's security team when
> they broke embargoes associated with two Tomcat security vulnerabilities
> that they had been informed of in advance and in confidence. (There were
> also errors in the information they leaked about the other vulnerability
> that made it appear to be much worse than it actually is.)
>
> To be clear, the Tomcat committers who are employed by RedHat were in no
> way responsible for the leaking of this information. The leak was
> entirely the fault of the RedHat security team.
>
> The mod_jk releases involve producing a large number of Windows binaries
> and experience with tc-native suggests that figuring out the build
> process - even with the available documentation - will be non-trivial.
> To give you an idea of what is likely to be involved, compare the
> documented build instructions for tc-native on Windows [1] with what is
> actually required to produce a release [2].
>
> Co-coincidently, the committers who typically handle the mod_jk releases
> are RedHat employees.
>
> Given all the above, I personally have little desire to dedicate a large
> chunk of my time figuring out the mod_jk build process so I can clear up
> the mess created by RedHat's security team. I'm not against spending the
> time to better document the mod_jk build process (like I did for
> tc-native) but that isn't a priority for me right now.
>
> I had hoped that, given that the mess is of RedHat's making, that RedHat
> would have directed one if its emmployees who is familiar with the
> mod_jk build process to spend the time necessary to produce a new mod_jk
> release. That hasn't happened.
>
> I hadn't realised - until I looked into it as a result of your e-mail -
> how long it has been since RedHat leaked this confidential information.
> It is looking increasingly like one of the Tomcat committers is going to
> have to clean up RedHat's mess for them.
>
> I'm not going to be in a position to do anything to fix this until week
> beginning 27th July but if nothing has been done by then I'll see what I
> can do.
>
> <rant>
> If I do end up having to clear up this mess I'll be even more annoyed
> with RedHat's security team than I am already. I don't actually mind
> that much that a mistake was made. We all make mistakes and I have made
> very similar mistakes in the past. What annoys me about this - and I get
> more annoyed the longer this goes on - is that after RedHat realised
> they had leaked vulnerability information and that some of the
> information they had leaked as incorrect RedHat have not (to my knowledge):
> - publicly stated some of the leaked information was incorrect;
> - publicly corrected the errors in the information they did leak;
> - publicly apologised for leaking the information (they have apologised
> in private so this is less of an issue);
> - done anything to help clear up the mess such as directing their
> employees who are Tomcat committers to help with the various releases
> that became more urgent as a result of these leaks.
>
> It is this last point that particularly annoys me.
>
> It bears repeating here that the RedHat employees who are committers are
> in no way responsible for this mess. It just so happens that they are
> best placed to clean it up.
> </rant>
>
> I know this doesn't give you the release you need but hopefully you'll
> at least have a better understanding of how we ended up where we are and
> you do have my assurance that I'll look into this (with no guarantee
> I'll be able to produce the release) in just over a week if no-one beats
> me to it.
>
> Note you do have the option of building from trunk. I'm not aware of
> anything that needs fixing in mod_jk before the next release so the
> chances are that a build from the current trunk is going to be very
> close to a 1.2.41 release.
>
> Mark
>
>
> [1] http://tomcat.apache.org/native-doc/
> [2] http://wiki.apache.org/tomcat/BuildTcNativeWin
>
> >
> >
> >
> > ---------------------------------
> > Hi,
> >
> > could you please tell us, when the fixed mod_jk-Version 1.2.41 will be publicly available?
> >
> > The webpage does not mention any vulnerability at all, plus no newer release than the vulnerable 1.2.40.
> >
> > For now RedHat mentions only the fix to the source code from December 2014.
> > http://svn.apache.org/viewvc?view=revision&revision=1647017
> >
> > Best regards.
> >
> > Peter
> >
> >
>
Hi Mark,
I appreciate your open comment and that clarifies the lengthy wait. I trust that now the solution gets going and will be solved soonish.
I'm in no position to criticize any wrongdoing on this CVE. I only hope to find a clearer communication on the tomcat-security sites in the future and if THAT is RedHat's fault, then please clean up the process with them.
Thank You. Best regards,
Peter
PS: is that the correct position to add my response?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question concerning mod_jk Security Fix CVE-2014-8111
Posted by Mark Thomas <ma...@apache.org>.
On 16/07/2015 13:16, Kreuser, Peter wrote:
> Please let me repeat my question from June 6th:
>
> Why is this CVE still not addressed in "Apache Tomcat JK Connectors vulnerabilities" http://tomcat.apache.org/security-jk.html?
>
> http://www.cvedetails.com/cve/CVE-2014-8111/
I'm a project committer but this is my personal view. It is not an
official project view.
The information on that CVE was leaked by RedHat's security team when
they broke embargoes associated with two Tomcat security vulnerabilities
that they had been informed of in advance and in confidence. (There were
also errors in the information they leaked about the other vulnerability
that made it appear to be much worse than it actually is.)
To be clear, the Tomcat committers who are employed by RedHat were in no
way responsible for the leaking of this information. The leak was
entirely the fault of the RedHat security team.
The mod_jk releases involve producing a large number of Windows binaries
and experience with tc-native suggests that figuring out the build
process - even with the available documentation - will be non-trivial.
To give you an idea of what is likely to be involved, compare the
documented build instructions for tc-native on Windows [1] with what is
actually required to produce a release [2].
Co-coincidently, the committers who typically handle the mod_jk releases
are RedHat employees.
Given all the above, I personally have little desire to dedicate a large
chunk of my time figuring out the mod_jk build process so I can clear up
the mess created by RedHat's security team. I'm not against spending the
time to better document the mod_jk build process (like I did for
tc-native) but that isn't a priority for me right now.
I had hoped that, given that the mess is of RedHat's making, that RedHat
would have directed one if its emmployees who is familiar with the
mod_jk build process to spend the time necessary to produce a new mod_jk
release. That hasn't happened.
I hadn't realised - until I looked into it as a result of your e-mail -
how long it has been since RedHat leaked this confidential information.
It is looking increasingly like one of the Tomcat committers is going to
have to clean up RedHat's mess for them.
I'm not going to be in a position to do anything to fix this until week
beginning 27th July but if nothing has been done by then I'll see what I
can do.
<rant>
If I do end up having to clear up this mess I'll be even more annoyed
with RedHat's security team than I am already. I don't actually mind
that much that a mistake was made. We all make mistakes and I have made
very similar mistakes in the past. What annoys me about this - and I get
more annoyed the longer this goes on - is that after RedHat realised
they had leaked vulnerability information and that some of the
information they had leaked as incorrect RedHat have not (to my knowledge):
- publicly stated some of the leaked information was incorrect;
- publicly corrected the errors in the information they did leak;
- publicly apologised for leaking the information (they have apologised
in private so this is less of an issue);
- done anything to help clear up the mess such as directing their
employees who are Tomcat committers to help with the various releases
that became more urgent as a result of these leaks.
It is this last point that particularly annoys me.
It bears repeating here that the RedHat employees who are committers are
in no way responsible for this mess. It just so happens that they are
best placed to clean it up.
</rant>
I know this doesn't give you the release you need but hopefully you'll
at least have a better understanding of how we ended up where we are and
you do have my assurance that I'll look into this (with no guarantee
I'll be able to produce the release) in just over a week if no-one beats
me to it.
Note you do have the option of building from trunk. I'm not aware of
anything that needs fixing in mod_jk before the next release so the
chances are that a build from the current trunk is going to be very
close to a 1.2.41 release.
Mark
[1] http://tomcat.apache.org/native-doc/
[2] http://wiki.apache.org/tomcat/BuildTcNativeWin
>
>
>
> ---------------------------------
> Hi,
>
> could you please tell us, when the fixed mod_jk-Version 1.2.41 will be publicly available?
>
> The webpage does not mention any vulnerability at all, plus no newer release than the vulnerable 1.2.40.
>
> For now RedHat mentions only the fix to the source code from December 2014.
> http://svn.apache.org/viewvc?view=revision&revision=1647017
>
> Best regards.
>
> Peter
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org