[jira] [Commented] (OFBIZ-12165) Upgrade Tomcat from 9.0.41 to 9.0.43

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (OFBIZ-12165) Upgrade Tomcat from 9.0.41 to 9.0.43

ASF subversion and git services (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293204#comment-17293204 ]

ASF subversion and git services commented on OFBIZ-12165:

Commit 7756b11421f1c10d5804b400a3b84c7cbb25a694 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=7756b11 ]

Fixed: Upgrade Tomcat from 9.0.41 to 9.0.43 (OFBIZ-12165)

Fixes 2 security issues:

CVE-2021-25122 h2c request mix-up
Severity: Important

CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence)
Severity: Low

> Upgrade Tomcat from 9.0.41 to 9.0.43
> ------------------------------------
>                 Key: OFBIZ-12165
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12165
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 18.12, Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Minor
>              Labels: backport-needed
>             Fix For: Upcoming Branch
> Needs backport because of the CVE reports: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
> The Apache Tomcat team announces the immediate availability of Apache
>  Tomcat 9.0.43.
> Apache Tomcat 9 is an open source software implementation of the Java
>  Servlet, JavaServer Pages, Java Unified Expression Language, Java
>  WebSocket and JASPIC technologies.
> Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
>  changes compared to 9.0.41 include:
>  - Add support for using Unix domain sockets for NIO when running on Java
>  16 or later.
>  - Add a new StringInterpreter interface that allows applications to
>  provide customised string attribute value to type conversion within
>  JSPs. This allows applications to provide a conversion implementation
>  that is optimised for the application.
>  - Add peerAddress to coyote request, which contains the IP address of
>  the direct connection peer. If a reverse proxy sits in front of Tomcat
>  and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
>  differ from the remoteAddress. The remoteAddress is likely to contain
>  the address of the client in front of the reverse proxy, not the
>  address of the proxy itself.
> Please refer to the change log for the complete list of changes:
>  [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]

This message was sent by Atlassian Jira