You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brendan P Keenan <bk...@csc.com> on 2011/11/04 21:20:11 UTC
Vulnerability Remediation
It has been identified to me by our security group that my Apache Tomcat
6.0.33 has the following vulnerability CVE-2011-3190. There is a link on
the Apache Tomcat 6.0 Security page to
http://svn.apache.org/viewvc?view=revision&revision=1162959 as a patch.
The link list three files:
/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
There is no trunk or java/org/apache/coyote directory in my installation.
Do I add those directories to apply the patch.
I am completely new at all of this so all help and direction is appreciated
and necessary.
Thanks
Brendan P Keenan
Mainframe Automation
CSC
Home Office - Columbia, CT USA
GOS | Global Enterprise Service Mgmt | 1.860.416.0251 | bkeenan@csc.com |
www.csc.com
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerability Remediation
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/5 Brendan P Keenan <bk...@csc.com>:
>
> It has been identified to me by our security group that my Apache Tomcat
> 6.0.33 has the following vulnerability CVE-2011-3190. There is a link on
> the Apache Tomcat 6.0 Security page to
> http://svn.apache.org/viewvc?view=revision&revision=1162959 as a patch.
>
> (...)
>
> Do I add those directories to apply the patch.
>
Have you read the first section at the top of that Tomcat 6 security page?
http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
Regarding those three files that you mentioned:
That is "ViewVC" program that displays Subversion repository that
contains the source code. That page shows what files were changed in
revision #1162959 and what the differences were.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerability Remediation
Posted by Daniel Mikusa <dm...@vmware.com>.
Brendan,
The link is a list of the files that were modified to fix the
vulnerability. These files can be used to patch the source code for
Tomcat. After patching the source code, you would then need to
recompile it and update your Tomcat installation with the recompiled
binaries.
In my opinion, it's easier to apply one of the mitigations now and
upgrade to Tomcat 6.0.34 when it is officially released.
* Configure both Tomcat and the reverse proxy to use a shared secret.
(It is "request.secret" attribute in AJP <Connector>,
"worker.workername.secret" directive for mod_jk. The mod_proxy_ajp
module currently does not support shared secrets).
* Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
implementation.
(It is automatically selected if you do not have Tomcat-Native library
installed. It can be also selected explicitly: <Connector
protocol="org.apache.jk.server.JkCoyoteHandler">).
Dan
On Fri, 2011-11-04 at 13:20 -0700, Brendan P Keenan wrote:
> It has been identified to me by our security group that my Apache Tomcat
> 6.0.33 has the following vulnerability CVE-2011-3190. There is a link on
> the Apache Tomcat 6.0 Security page to
> http://svn.apache.org/viewvc?view=revision&revision=1162959 as a patch.
>
> The link list three files:
>
> /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
> /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
> /tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
>
> There is no trunk or java/org/apache/coyote directory in my installation.
> Do I add those directories to apply the patch.
>
> I am completely new at all of this so all help and direction is appreciated
> and necessary.
> Thanks
>
>
> Brendan P Keenan
> Mainframe Automation
> CSC
>
> Home Office - Columbia, CT USA
> GOS | Global Enterprise Service Mgmt | 1.860.416.0251 | bkeenan@csc.com |
> www.csc.com
>
> This is a PRIVATE message. If you are not the intended recipient, please
> delete without copying and kindly advise us by e-mail of the mistake in
> delivery.
> NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
> any order or other contract unless pursuant to explicit written agreement
> or government initiative expressly permitting the use of e-mail for such
> purpose.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>