Thank you for this latest update.
Looking forward for the 7.x new build.
Sent from my iPhone
> On Sep 29, 2017, at 2:14 AM, Mark Thomas wrote:
>
> Hi all,
>
> Hopefully this will be the final update on this.
>
> The fixes for CVE-2017-12617 have now been applied to all current
> versions. Re
Hi all,
Hopefully this will be the final update on this.
The fixes for CVE-2017-12617 have now been applied to all current
versions. Releases for 9.0.x and 8.5.x are already in progress on the
dev@ list. The release process for 8.0.x and 7.0.x is expected to start
shortly.
As per my previous e-m
Thank you for the response and confirmation, Mark.
Sent from my iPhone
> On Sep 25, 2017, at 12:36 PM, Mark Thomas wrote:
>
>> On 25/09/17 18:12, Harish Krishnan wrote:
>> Hi Mark,
>>
>> Thanks for the timely updates.
>> My understanding is, there will be a new 7.x update available for address
On 25/09/17 18:12, Harish Krishnan wrote:
> Hi Mark,
>
> Thanks for the timely updates.
> My understanding is, there will be a new 7.x update available for addressing
> CVE-2017-12617. Is that correct?
> The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and
> CVE*12616).
> When
Hi Mark,
Thanks for the timely updates.
My understanding is, there will be a new 7.x update available for addressing
CVE-2017-12617. Is that correct?
The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and
CVE*12616).
When can we expect the new update for 7.x?
Sent from my iPhon
Update:
The review did not identify any further security concerns but it did
identify a handful of places where the code could benefit from some
clean-up. This clean-up makes the purpose of the code clearer and eases
future maintenance in this security-relevant area of the code base.
The clean-up
Update:
We believe we have a set of patches [1],[2] that addresses this for
9.0.x. The plan is to give folks ~12 hours to review the proposed
patches and then back-port the patches, tag and release.
Further analysis has not identified any additional attack vectors or
risks associated with this vu
Update:
The issue has been confirmed.
CVE-2017-12617 has been allocated.
The issue is not limited to PUT requests. For the Default servlet,
DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
COPY are believed to be affected.
The RCE via JSP upload using PUT is still believe
