You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by CHENG Jianhua <Ji...@alcatel-sbell.com.cn> on 2007/08/01 10:25:35 UTC
Confusion about tomcat security bulletin
Dear All,
Our company have an application use tomcat 5.0.27 and can't upgrade the
version.
I'm very concern about the security issue relate to this version.
Now I have some confusion about tomcat security bulletin
http://tomcat.apache.org/security-5.html
<http://tomcat.apache.org/security-5.html> .
For example:
------------------------------------------------------------------------
------------------------------------------------
Fixed in Apache Tomcat 5.5.23, 5.0.HEAD
important: Information disclosure CVE-2005-2090
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090>
Requests with multiple content-length headers should be rejected
as invalid. When multiple components (firewalls, caches, proxies and
Tomcat) process a sequence of requests where one or more requests
contain multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length leader to use an attacker can poision a web-cache,
perform an XSS attack and obtain senstive information from requests
other then their own. Tomcat now returns 400 for requests with multiple
content-length headers.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.22
------------------------------------------------------------------------
------------------------------------------------------------------------
--------------
This issue does affect 5.0.27, but "Fixed in Apache Tomcat 5.5.23,
5.0.HEAD ". Does "5.0.HEAD" include 5.0.27 itself?
If so does it mean when I get new release 5.0.27 from tomcat website
then the issue will be fixed? And if new issue has been report such as
"moderate: Cross-site scripting CVE-2007-1355
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355> " , it
also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
5.0.27 from tomcat website agagin to fixed this issue?
Look forward your answer and Thans a lot!
Best regards,
Cheng Jianhua
RE: Confusion about tomcat security bulletin
Posted by CHENG Jianhua <Ji...@alcatel-sbell.com.cn>.
Rainer,
OK, I see now.
Thank you very much!
Best regards,
Cheng Jianhua
-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: 2007年8月1日 16:35
To: Tomcat Users List
Subject: Re: Confusion about tomcat security bulletin
5.0.HEAD is the most actual, non-released version of the 5.0 code branch. So this means, the problem will be fixed in any new 5.0 release.
Currently there are no plans do do a new 5.0 release. So if security is a real concern for you, you should upgrade to at least 5.5 (which shouldn't be a big deal) or to 6.0.
If you can't upgrade and you must fix the issue, you will need to build from the source (which is a little painful for TC 5.0).
Regards,
Rainer
CHENG Jianhua wrote:
> Dear All,
>
> Our company have an application use tomcat 5.0.27 and can't upgrade
> the version.
> I'm very concern about the security issue relate to this version.
>
> Now I have some confusion about tomcat security bulletin
> http://tomcat.apache.org/security-5.html
> <http://tomcat.apache.org/security-5.html> .
> For example:
> ----------------------------------------------------------------------
> --
> ------------------------------------------------
> Fixed in Apache Tomcat 5.5.23, 5.0.HEAD
>
> important: Information disclosure CVE-2005-2090
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090>
>
> Requests with multiple content-length headers should be rejected as
> invalid. When multiple components (firewalls, caches, proxies and
> Tomcat) process a sequence of requests where one or more requests
> contain multiple content-length headers and several components do not
> reject the request and make different decisions as to which
> content-length leader to use an attacker can poision a web-cache,
> perform an XSS attack and obtain senstive information from requests
> other then their own. Tomcat now returns 400 for requests with
> multiple content-length headers.
>
> Affects: 5.0.0-5.0.30, 5.5.0-5.5.22
>
> ----------------------------------------------------------------------
> --
> ----------------------------------------------------------------------
> --
> --------------
> This issue does affect 5.0.27, but "Fixed in Apache Tomcat 5.5.23,
> 5.0.HEAD ". Does "5.0.HEAD" include 5.0.27 itself?
> If so does it mean when I get new release 5.0.27 from tomcat website
> then the issue will be fixed? And if new issue has been report such as
> "moderate: Cross-site scripting CVE-2007-1355
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355> " , it
> also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
> 5.0.27 from tomcat website agagin to fixed this issue?
>
>
> Look forward your answer and Thans a lot!
>
> Best regards,
> Cheng Jianhua
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Confusion about tomcat security bulletin
Posted by Rainer Jung <ra...@kippdata.de>.
5.0.HEAD is the most actual, non-released version of the 5.0 code
branch. So this means, the problem will be fixed in any new 5.0 release.
Currently there are no plans do do a new 5.0 release. So if security is
a real concern for you, you should upgrade to at least 5.5 (which
shouldn't be a big deal) or to 6.0.
If you can't upgrade and you must fix the issue, you will need to build
from the source (which is a little painful for TC 5.0).
Regards,
Rainer
CHENG Jianhua wrote:
> Dear All,
>
> Our company have an application use tomcat 5.0.27 and can't upgrade the
> version.
> I'm very concern about the security issue relate to this version.
>
> Now I have some confusion about tomcat security bulletin
> http://tomcat.apache.org/security-5.html
> <http://tomcat.apache.org/security-5.html> .
> For example:
> ------------------------------------------------------------------------
> ------------------------------------------------
> Fixed in Apache Tomcat 5.5.23, 5.0.HEAD
>
> important: Information disclosure CVE-2005-2090
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090>
>
> Requests with multiple content-length headers should be rejected
> as invalid. When multiple components (firewalls, caches, proxies and
> Tomcat) process a sequence of requests where one or more requests
> contain multiple content-length headers and several components do not
> reject the request and make different decisions as to which
> content-length leader to use an attacker can poision a web-cache,
> perform an XSS attack and obtain senstive information from requests
> other then their own. Tomcat now returns 400 for requests with multiple
> content-length headers.
>
> Affects: 5.0.0-5.0.30, 5.5.0-5.5.22
>
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------
> --------------
> This issue does affect 5.0.27, but "Fixed in Apache Tomcat 5.5.23,
> 5.0.HEAD ". Does "5.0.HEAD" include 5.0.27 itself?
> If so does it mean when I get new release 5.0.27 from tomcat website
> then the issue will be fixed? And if new issue has been report such as
> "moderate: Cross-site scripting CVE-2007-1355
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355> " , it
> also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
> 5.0.27 from tomcat website agagin to fixed this issue?
>
>
> Look forward your answer and Thans a lot!
>
> Best regards,
> Cheng Jianhua
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org