https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
xxlegend changed:
What|Removed |Added
Summary|Apache Tomcat Remote Code |none
|Execution via JSP U
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Bug ID: 61542
Summary: Apache Tomcat Remote Code Execution via JSP Upload
bypass for CVE-2017-12615
Product: Tomcat 7
Version: 7.0.81
Hardware: PC
Status: NEW
Hi, here is my test result, although the vote has finished:
The proposed 9.0.0.M27 release is:
[ ] Broken - do not release
[ X ] Alpha - go ahead and release as 9.0.0.M27
Unit test passed.
Our web application works fine.
--
Mark Tho
Updated with Konstantin's feedback.
Further comments, feedback etc welcome.
The Apache Tomcat Team announces that support for Apache Tomcat Native
1.1.x will end on 30 September 2018.
This means that after 30 September 2018:
- releases from the 1.1.x branch are highly unlikely
- bugs affecting
Author: markt
Date: Tue Sep 19 20:29:38 2017
New Revision: 21712
Log:
Release Apache Tomcat 8.5.21
Added:
release/tomcat/tomcat-8/v8.5.21/
- copied from r21711, dev/tomcat/tomcat-8/v8.5.21/
Removed:
dev/tomcat/tomcat-8/v8.5.21/
-
Author: markt
Date: Tue Sep 19 20:29:09 2017
New Revision: 21711
Log:
Release Apache Tomcat 9.0.0.M27
Added:
release/tomcat/tomcat-9/v9.0.0.M27/
- copied from r21710, dev/tomcat/tomcat-9/v9.0.0.M27/
Removed:
dev/tomcat/tomcat-9/v9.0.0.M27/
-
Author: markt
Date: Tue Sep 19 20:28:21 2017
New Revision: 21710
Log:
Tomcat 6 has reached end of life
Removed:
dev/tomcat/tomcat-6/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mai
The following voters were cast:
Binding:
+1: rjung, markt, fschumacher, mgrigorov, csutherl, violetagg
Non-binding:
+1: ebourg
The vote therefore passes.
Thank you to everyone who contributed to this release.
Mark
-
To unsubs
The following votes were cast:
Binding:
+1: markt, rjung, fschumacher, mgrigorov, violetagg
No other voters were cast.
The vote therefore passes.
Thank you to everyone who contributed to this release.
-
To unsubscribe, e-mail
2017-09-13 21:49 GMT+03:00 Mark Thomas :
>
> The proposed Apache Tomcat 9.0.0.M27 release is now available for voting.
>
> This is a milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - It is not known if there will be a min
2017-09-14 0:02 GMT+03:00 Mark Thomas :
>
> The proposed Apache Tomcat 8.5.21 release is now available for voting.
>
> The major changes compared to the 8.5.20 release are:
>
> - Additional capabilities for the CGI Servlet. Based on patches provided
> by jm009.
>
> - Added support for the OpenSSL
Author: csutherl
Date: Tue Sep 19 14:22:06 2017
New Revision: 1808887
URL: http://svn.apache.org/viewvc?rev=1808887&view=rev
Log:
Update fix for bug 59904 so that values less than zero are accepted instead of
throwing a NegativeArraySizeException.
Modified:
tomcat/tc7.0.x/trunk/ (props cha
Author: csutherl
Date: Tue Sep 19 14:17:12 2017
New Revision: 1808884
URL: http://svn.apache.org/viewvc?rev=1808884&view=rev
Log:
Update fix for bug 59904 so that values less than zero are accepted instead of
throwing a NegativeArraySizeException.
Modified:
tomcat/tc8.0.x/trunk/ (props cha
Author: csutherl
Date: Tue Sep 19 14:10:12 2017
New Revision: 1808881
URL: http://svn.apache.org/viewvc?rev=1808881&view=rev
Log:
Cherry-pick r1808880 from 8.5.x/trunk
Modified:
tomcat/trunk/ (props changed)
tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookies.java
tomcat/tru
Author: csutherl
Date: Tue Sep 19 14:07:02 2017
New Revision: 1808880
URL: http://svn.apache.org/viewvc?rev=1808880&view=rev
Log:
Update fix for bug 59904 so that values less than zero are accepted instead of
throwing a NegativeArraySizeException.
Modified:
tomcat/tc8.5.x/trunk/java/org/apac
Hi,
I'm planning to start preparing Tomcat 7/8.0 for a release later today.
If you would like to include something in addition, please reply here.
Regards,
Violeta
On Wed, Sep 13, 2017 at 5:02 PM, Mark Thomas wrote:
> The proposed Apache Tomcat 8.5.21 release is now available for voting.
>
> The major changes compared to the 8.5.20 release are:
>
> - Additional capabilities for the CGI Servlet. Based on patches provided
> by jm009.
>
> - Added support for
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12616, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-7674 Apache Tomcat Information Dis
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12615, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-12615 Apache Tomcat Remote Code E
Author: markt
Revision: 1804729
Modified property: svn:log
Modified: svn:log at Tue Sep 19 11:01:39 2017
--
--- svn:log (original)
+++ svn:log Tue Sep 19 11:01:39 2017
@@ -1 +1,4 @@
Correct regression in r1804604 that bro
Author: markt
Revision: 1804604
Modified property: svn:log
Modified: svn:log at Tue Sep 19 11:01:02 2017
--
--- svn:log (original)
+++ svn:log Tue Sep 19 11:01:02 2017
@@ -3,3 +3,5 @@ Code clean-up
- Correct indent
- Con
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79
Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the
CVE-2017-7674 Apache Tomcat Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 7.0.0 to 7.0.80
Description:
When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resou
Author: markt
Date: Tue Sep 19 10:57:45 2017
New Revision: 1808857
URL: http://svn.apache.org/viewvc?rev=1808857&view=rev
Log:
Add details for CVE-2017-12615 and CVE-2017-12616
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/t
24 matches
Mail list logo
