Fixed: Upgrade Tomcat from 9.0.41 to 9.0.43 (OFBIZ-12165)
Fixes 2 security issues:
CVE-2021-25122 h2c request mix-up
CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence)
> Upgrade Tomcat from 9.0.41 to 9.0.43
> Key: OFBIZ-12165
> URL: https://issues.apache.org/jira/browse/OFBIZ-12165 > Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 18.12, Trunk
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Minor
> Labels: backport-needed
> Fix For: Upcoming Branch
> Needs backport because of the CVE reports: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43 >
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 9.0.43.
> Apache Tomcat 9 is an open source software implementation of the Java
> Servlet, JavaServer Pages, Java Unified Expression Language, Java
> WebSocket and JASPIC technologies.
> Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
> changes compared to 9.0.41 include:
> - Add support for using Unix domain sockets for NIO when running on Java
> 16 or later.
> - Add a new StringInterpreter interface that allows applications to
> provide customised string attribute value to type conversion within
> JSPs. This allows applications to provide a conversion implementation
> that is optimised for the application.
> - Add peerAddress to coyote request, which contains the IP address of
> the direct connection peer. If a reverse proxy sits in front of Tomcat
> and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
> differ from the remoteAddress. The remoteAddress is likely to contain
> the address of the client in front of the reverse proxy, not the
> address of the proxy itself.
> Please refer to the change log for the complete list of changes:
This message was sent by Atlassian Jira