Starting security update release 1.6.0.1

[Jean-Louis MONTEIRO <je...@gmail.com>]

Hi devs,

As discussed heavily, the security maintenance release to fix the Tomcat
CVE 2014-50.
According to our discussions and decisions summarized here
https://tomee.apache.org/security/index.html
we will start the release process.

Special thanks to Jon who has worked heavily to prepare everything and
ensure the TCK all passes.

Another big thanks to Andy who proposed to be the release manager.

That's what I call a community.

Jean-Louis


See the end of the message for more details on the CVE.

*Important: Denial of Service*
CVE-2014-0050<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050>

It was possible to craft a malformed Content-Type header for a multipart
request that caused Apache Tomcat to enter an infinite loop. A malicious
user could, therefore, craft a malformed request that triggered a denial of
service.

The root cause of this error was a bug in Apache Commons FileUpload. Tomcat
7 uses a packaged renamed copy of Apache Commons FileUpload to implement
the requirement of the Servlet 3.0 specification to support the processing
of mime-multipart requests. Tomcat 7 was therefore affected by this issue.

This was fixed in revision
1565169<http://svn.apache.org/viewvc?view=rev&rev=1565169>
.

This issue was reported to the Apache Software Foundation on 04 Feb 2014
and accidently made public on 06 Feb 2014.

Affects: 7.0.0-7.0.50
-- 
Jean-Louis

Re: Starting security update release 1.6.0.1

[agumbrecht <ag...@tomitribe.com>]

Thanks to all, the vote is posted.

Andy.



--
View this message in context: http://openejb.979440.n4.nabble.com/Starting-security-update-release-1-6-0-1-tp4668629p4668684.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Starting security update release 1.6.0.1

[Jonathan Gallimore <jo...@gmail.com>]

+1  Thank you to you both :)


On Mon, Apr 7, 2014 at 9:45 PM, Romain Manni-Bucau <rm...@gmail.com>wrote:

> and to JL to drive it so hard ;)
> Romain Manni-Bucau
> Twitter: @rmannibucau
> Blog: http://rmannibucau.wordpress.com/
> LinkedIn: http://fr.linkedin.com/in/rmannibucau
> Github: https://github.com/rmannibucau
>
>
>
> 2014-04-07 22:44 GMT+02:00 Jean-Louis MONTEIRO <je...@gmail.com>:
> > Forgot a big big thank you to Romain as usual. He's always so active and
> > efficient that we sometimes forget to highlight his high valuable
> > contribution.
> >
> > Thanks Romain.
> >
> >
> > 2014-04-07 21:50 GMT+02:00 Jean-Louis MONTEIRO <je...@gmail.com>:
> >
> >> Hi devs,
> >>
> >> As discussed heavily, the security maintenance release to fix the Tomcat
> >> CVE 2014-50.
> >> According to our discussions and decisions summarized here
> >> https://tomee.apache.org/security/index.html
> >> we will start the release process.
> >>
> >> Special thanks to Jon who has worked heavily to prepare everything and
> >> ensure the TCK all passes.
> >>
> >> Another big thanks to Andy who proposed to be the release manager.
> >>
> >> That's what I call a community.
> >>
> >> Jean-Louis
> >>
> >>
> >> See the end of the message for more details on the CVE.
> >>
> >> *Important: Denial of Service* CVE-2014-0050<
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050>
> >>
> >> It was possible to craft a malformed Content-Type header for a multipart
> >> request that caused Apache Tomcat to enter an infinite loop. A malicious
> >> user could, therefore, craft a malformed request that triggered a
> denial of
> >> service.
> >>
> >> The root cause of this error was a bug in Apache Commons FileUpload.
> >> Tomcat 7 uses a packaged renamed copy of Apache Commons FileUpload to
> >> implement the requirement of the Servlet 3.0 specification to support
> the
> >> processing of mime-multipart requests. Tomcat 7 was therefore affected
> by
> >> this issue.
> >>
> >> This was fixed in revision 1565169<
> http://svn.apache.org/viewvc?view=rev&rev=1565169>
> >> .
> >>
> >> This issue was reported to the Apache Software Foundation on 04 Feb 2014
> >> and accidently made public on 06 Feb 2014.
> >>
> >> Affects: 7.0.0-7.0.50
> >> --
> >> Jean-Louis
> >>
> >
> >
> >
> > --
> > Jean-Louis
>

Re: Starting security update release 1.6.0.1

[Romain Manni-Bucau <rm...@gmail.com>]

and to JL to drive it so hard ;)
Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau



2014-04-07 22:44 GMT+02:00 Jean-Louis MONTEIRO <je...@gmail.com>:
> Forgot a big big thank you to Romain as usual. He's always so active and
> efficient that we sometimes forget to highlight his high valuable
> contribution.
>
> Thanks Romain.
>
>
> 2014-04-07 21:50 GMT+02:00 Jean-Louis MONTEIRO <je...@gmail.com>:
>
>> Hi devs,
>>
>> As discussed heavily, the security maintenance release to fix the Tomcat
>> CVE 2014-50.
>> According to our discussions and decisions summarized here
>> https://tomee.apache.org/security/index.html
>> we will start the release process.
>>
>> Special thanks to Jon who has worked heavily to prepare everything and
>> ensure the TCK all passes.
>>
>> Another big thanks to Andy who proposed to be the release manager.
>>
>> That's what I call a community.
>>
>> Jean-Louis
>>
>>
>> See the end of the message for more details on the CVE.
>>
>> *Important: Denial of Service* CVE-2014-0050<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050>
>>
>> It was possible to craft a malformed Content-Type header for a multipart
>> request that caused Apache Tomcat to enter an infinite loop. A malicious
>> user could, therefore, craft a malformed request that triggered a denial of
>> service.
>>
>> The root cause of this error was a bug in Apache Commons FileUpload.
>> Tomcat 7 uses a packaged renamed copy of Apache Commons FileUpload to
>> implement the requirement of the Servlet 3.0 specification to support the
>> processing of mime-multipart requests. Tomcat 7 was therefore affected by
>> this issue.
>>
>> This was fixed in revision 1565169<http://svn.apache.org/viewvc?view=rev&rev=1565169>
>> .
>>
>> This issue was reported to the Apache Software Foundation on 04 Feb 2014
>> and accidently made public on 06 Feb 2014.
>>
>> Affects: 7.0.0-7.0.50
>> --
>> Jean-Louis
>>
>
>
>
> --
> Jean-Louis

Re: Starting security update release 1.6.0.1

[Jean-Louis MONTEIRO <je...@gmail.com>]

Forgot a big big thank you to Romain as usual. He's always so active and
efficient that we sometimes forget to highlight his high valuable
contribution.

Thanks Romain.


2014-04-07 21:50 GMT+02:00 Jean-Louis MONTEIRO <je...@gmail.com>:

> Hi devs,
>
> As discussed heavily, the security maintenance release to fix the Tomcat
> CVE 2014-50.
> According to our discussions and decisions summarized here
> https://tomee.apache.org/security/index.html
> we will start the release process.
>
> Special thanks to Jon who has worked heavily to prepare everything and
> ensure the TCK all passes.
>
> Another big thanks to Andy who proposed to be the release manager.
>
> That's what I call a community.
>
> Jean-Louis
>
>
> See the end of the message for more details on the CVE.
>
> *Important: Denial of Service* CVE-2014-0050<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050>
>
> It was possible to craft a malformed Content-Type header for a multipart
> request that caused Apache Tomcat to enter an infinite loop. A malicious
> user could, therefore, craft a malformed request that triggered a denial of
> service.
>
> The root cause of this error was a bug in Apache Commons FileUpload.
> Tomcat 7 uses a packaged renamed copy of Apache Commons FileUpload to
> implement the requirement of the Servlet 3.0 specification to support the
> processing of mime-multipart requests. Tomcat 7 was therefore affected by
> this issue.
>
> This was fixed in revision 1565169<http://svn.apache.org/viewvc?view=rev&rev=1565169>
> .
>
> This issue was reported to the Apache Software Foundation on 04 Feb 2014
> and accidently made public on 06 Feb 2014.
>
> Affects: 7.0.0-7.0.50
> --
> Jean-Louis
>



-- 
Jean-Louis