Home > Apache Tomcat > Apache Tomcat/6.0.36 - Error Report
Apache Tomcat/6.0.36 - Error Report
Based on a patch by Ramiro. (markt) 51177: Ensure Tomcat's MapELResolver and ListELResolver always return Object.class for getType() as required by the EL specification. (markt) Correct possible threading issue in JSP Important: Remote Denial Of Service CVE-2010-4476 A JVM bug could cause Double conversion to hang JVM when accessing to a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() This was first reported to the Tomcat security team on 5 Mar 2009 and made public on 6 Mar 2009. When applying the limit to a connection try to read that many bytes first before closing the connection to give the client a chance to read the response. (markt) 57544: Fix http://dis-lb.net/apache-tomcat/apache-tomcat-error-report-5-5-27.php
This vulnerability is only applicable when hosting web applications from untrusted sources such as shared hosting environments. These pages have been simplified not to use any user provided data in the output. That behaviour can be used for a denial of service attack using a carefully crafted request. This vulnerability only occurs when all of the following are true: The org.apache.jk.server.JkCoyoteHandler AJP connector is not used POST requests are accepted The request body is not processed This was fixed
Apache Tomcat Error Report Http Status 404
I don't believe I have used the command on 6.0 yet. This was first reported to the Tomcat security team on 01 Feb 2011 and made public on 31 Jan 2011. There was no limit to the size of request body that Tomcat would swallow.
validateXml controls the validation of web.xml files when Jasper parses them and validateTld controls the validation of *.tld files when Jasper parses them. (markt) 54475: Add Java 8 support to SMAP This issue was identified by the Tomcat security team on 2 November 2014 and made public on 14 May 2015. Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page. Tomcat 8 Vulnerabilities Extend XML factory, parser etc.
Affects: 6.0.0 to 6.0.44 Low: Directory disclosure CVE-2015-5345 When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to Apache Tomcat 6.0.36 Vulnerabilities Affects: 6.0.0-6.0.35 released 5 Dec 2011 Fixed in Apache Tomcat 6.0.35 Note: The issues below were fixed in Apache Tomcat 6.0.34 but the release vote for the 6.0.34 release candidate did This was fixed in revision 1394456. This was fixed in revision 1057270.
These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. Apache Tomcat 6.0 32 Error Report Avoid some casts in StandardContext. (markt) Add security policy and token poller protection to the JRE memory leak protection provided in Tomcat 6. (markt/kkolinko) 50026: Add support for mapping the default Pheno Menon's number challenge Is this safe to display MySQL query error in webpage if something went wrong? What are the holes on the sides of a computer case frame for?
- Affects: 6.0.0-6.0.18 Low: Information disclosure CVE-2009-0783 Bugs 29936 and 45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files.
- Patch: Following are links for downloading patches to fix the vulnerabilities: Apache Tomcat 6.x (http://tomcat.apache.org/download-60.cgi) Apache Tomcat 7.x (http://tomcat.apache.org/download-70.cgi) Apache Tomcat 8.x (http://tomcat.apache.org/download-80.cgi)Apache Tomcat/6.0.37 - Error report# Like Show 0 Likes(0)
- Affects: 6.0.0-6.0.20 Low: Insecure default password CVE-2009-3548 The Windows installer defaults to a blank password for the administrative user.
Apache Tomcat 6.0.36 Vulnerabilities
Test case provided by David Marcks. (kkolinko) Replace unneeded call that iterated events queue in NioEndpoint.Poller. (kkolinko) Improve MimeHeaders.toString(). (kkolinko) Allow the BIO HTTP connector to be used with SSL when you can try this out OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site. Apache Tomcat Error Report Http Status 404 When running with a SecurityManager the initialization method of ResourceLinkFactory is protected by requiring a RuntimePermission. (kkolinko) Extend the feature available in the cluster session manager implementations that enables session attribute Apache Tomcat Security Vulnerabilities Although the root cause was quickly identified as a JVM issue and that it affected multiple JVMs from multiple vendors, it was decided to report this as a Tomcat vulnerability until
It is equivalent of LimitRequestFields directive of Apache HTTPD. have a peek at these guys Browse other questions tagged java tomcat or ask your own question. Important: Remote Denial Of Service CVE-2011-0534 The NIO connector expands its buffer endlessly during request line processing. This was first discussed on the public Tomcat users mailing list on 19 June 2009. Apache Tomcat Input Validation Security Bypass Vulnerability
Are you on 6.0? Based on a patch by F. This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009. check over here To workaround this until a fix is available in JSSE, a new connector attribute allowUnsafeLegacyRenegotiation has been added to the BIO connector.
Fix drywall that lost strength due to hanging curtain rod Did Donald Trump call Alicia Machado "Miss Piggy" and "Miss Housekeeping"? Apache Tomcat 6.0 35 Exploit We are still getting dinged with this even though its only querying the version. It did not consider the use of quotes or %5C within a cookie value.
This simplifies configuration if someone wants to move the output directory elsewhere (e.g.
But it doesn't seem to work on this website. Patch by Willem Fibbe. (kkolinko) Tomcat 6.0.34 (jfclere)not released Catalina 51550: Display an error page rather than an empty response for an IllegalStateException caused by too many active sessions. (markt) 51640: I also see the request reaches the server but not to my servlet. Apache Tomcat 6.0.24 Vulnerabilities Affects: 6.0.0-6.0.16 Important: Information disclosure CVE-2008-2370 When using a RequestDispatcher the target path was normalised before the query string was removed.
Patch provided by F.Arnoud (kfujino) Fix a behavior of TcpPingInterceptor#useThread. Rearrange, add section on HTML GUI, document /expire command and Server Status page. (kkolinko) 54143: Add display of the memory pools usage (including PermGen) to the Status page of the Manager This was first reported to the Tomcat security team on 31 Dec 2009 and made public on 21 Apr 2010. http://dis-lb.net/apache-tomcat/apache-tomcat-5-5-17-error-report.php Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code.
This was identified by the Tomcat security team on 12 Nov 2010 and made public on 5 Feb 2011. The location of the work directory is specified by a ServletContect attribute that is meant to be read-only to web applications. This was identified by the Tomcat security team on 22 September 2011 and made public on 17 January 2012. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true.
See Also http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36 Plugin Information Plugin ID:800612 Plugin Family:Web Servers Plugin Publication Date:2012/11/26 Vulnerability Publication Date:2012/07/02 Patch Publication Date:2012/10/19 Nessus Plugin ID: 62987 Risk Information Risk Factor:Medium CVSS Base Score:6.8 CVSS Patch provided by Alexis Hassler. (markt) 51156: Ensure session expiration option is available in Manager application was running web applications that were defined in server.xml. (markt) Correct the log4j configuration settings These options are available for all of the Manager implementations that ship with Tomcat. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability.
Introduces a new HTTP header parser that follows RFC2616. (markt) 54691: Add configuration attribute "sslEnabledProtocols" to HTTP connector and document it. (Internally this attribute has been already implemented but not documented, This issue was identified by the Tomcat security team on 12 April 2014 and made public on 27 May 2014. Note that this mode requires tomcat-native 1.1.23 or later linked to a FIPS-capable OpenSSL library, which one has to build by themselves. (schultz/kkolinko) Improve synchronization and error handling in AprLifecycleListener. The second and third issues were discovered by the Tomcat security team during the resulting code review.
The cluster implementation persists sessions to one or more additional nodes in the cluster.