You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Anand, Amit (Contractor)" <aa...@ftc.gov> on 2011/09/07 20:30:14 UTC
Tomcat issue (Solaris 10)
All,
Kinda new to tomcat but have a couple quick questions which came up regarding CVE-2011-3109 (Bug 51698).
Questions:
Any timeline to when stable release of 6.0.34 is supposed to be released?
Also what does "in trunk" specifically mean? Does that mean if I download say version 6.0.29 as of now, it will have the fix?
I do not know if this is the appropriate place to ask but would appreciate any help or guidance. Thank you
Amit Anand
Federal Trade Commission
Sr. Unix Engineer (Contractor)
202-326-2394
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat issue (Solaris 10)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amit,
Please keep conversations on-list to benefit others.
On 9/8/2011 3:57 PM, Anand, Amit (Contractor) wrote:
> Thank you very much for all your help! Like I said, not very good
> with Tomcat. So this patch should fix this CVE-2011-3109 (Bug
> 51698).
Yes.
> The thing is, I don’t even know how to implement it....
Tomcat doesn't provide binary patches, so you have to do this at the
source level. You can download the source for Tomcat 6.0.33, then
apply the patch to the source (2 Java files were modified... you could
do it by hand if you don't know how to use "patch"), then re-build.
You only really need to re-compile the 2 files that were modified.
You could also wait for 6.0.34.
If you are really anxious, the easiest thing to do is to add a shared
"secret" to both your proxy and Tomcat: this will essentially
eliminate this particular threat. Look for "request.secret" on this page:
http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5pLpwACgkQ9CaO5/Lv0PBBwwCcDUtGKFzxFFzNidl0i7rjdB3N
gBYAn3oH7EAya7w1C/vnI///diS8zgpg
=qMI+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat issue (Solaris 10)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amit,
Please keep conversations on-list to benefit others.
On 9/8/2011 3:57 PM, Anand, Amit (Contractor) wrote:
> Thank you very much for all your help! Like I said, not very good
> with Tomcat. So this patch should fix this CVE-2011-3109 (Bug
> 51698).
Yes.
> The thing is, I don’t even know how to implement it....
Tomcat doesn't provide binary patches, so you have to do this at the
source level. You can download the source for Tomcat 6.0.33, then apply
the patch to the source (2 Java files were modified... you could do it
by hand if you don't know how to use "patch"), then re-build. You only
really need to re-compile the 2 files that were modified.
You could also wait for 6.0.34.
If you are really anxious, the easiest thing to do is to add a shared
"secret" to both your proxy and Tomcat: this will essentially eliminate
this particular threat. Look for "request.secret" on this page:
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5pMOIACgkQ9CaO5/Lv0PAyUACdHa+08ZPSqmudyv4gwkwIhcD+
nXwAnRJUn1nVEd4iANnnkFXwMFA6CcPq
=Uton
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat issue (Solaris 10)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amit,
On 9/7/2011 6:38 PM, Christopher Schultz wrote:
> I've been trying to determine if using an AJP "secret" will thwart
> this kind of attack. I suspect it will, but I can't get my TC to
> take a secret just now (see my post under separate cover).
Confirmed: setting a "secret" on your AJP connection will prevent
these types attack messages from being processed by Tomcat.
See the CVE announcement which includes this technique as a mitigatory
action:
http://markmail.org/message/w5ya5e2xv5xaw3zd
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5o3M8ACgkQ9CaO5/Lv0PBmHQCfdQGi2QG3wBQkOnqeere8mbye
iycAoLQgrYli6WDNICoB6I/scvqeYpHH
=a1RF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat issue (Solaris 10)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amit,
On 9/7/2011 2:30 PM, Anand, Amit (Contractor) wrote:
> Kinda new to tomcat but have a couple quick questions which came
> up regarding CVE-2011-3109 (Bug 51698).
>
> Any timeline to when stable release of 6.0.34 is supposed to be
> released?
Officially, it's "ready when it's ready". Given that this is
classified as an "important" fix, I suspect that 6.0.34 will have a
small lag time since 6.0.33 than 6.0.33 did from 6.0.32 (which was
about 6.5 months).
> Also what does "in trunk" specifically mean? Does that mean if I
> download say version 6.0.29 as of now, it will have the fix?
Certainly not. What it means is that it will appear in the next
release of the 6.0.x line of Tomcats which should be 6.0.34.
I've been trying to determine if using an AJP "secret" will thwart
this kind of attack. I suspect it will, but I can't get my TC to take
a secret just now (see my post under separate cover).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5n8n8ACgkQ9CaO5/Lv0PC0awCeKRgoizbiaG/QZOowZfVnTXCC
1WIAnjJG5/G1ptQOdlLlpqL6ClKCBBzx
=Rrgh
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org