09b30e93b2
Important: Session fixation CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat's session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable. This was fixed in revision 1417891. This issue was identified by the Tomcat security team on 15 Oct 2012 and made public on 10 May 2013. Affects: 6.0.21-6.0.36 Important: Denial of service CVE-2012-3544 When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server. This was fixed in revision 1476592. This issue was reported to the Tomcat security team on 10 November 2011 and made public on 10 May 2013. Affects: 6.0.0-6.0.36 ChangeLog: ++++++++++ Catalina fix 52055: Ensure that filters are recycled. (markt/kkolinko) fix 52184: Reduce log level for invalid cookies. (markt) fix 53481: Added support for SSLHonorCipherOrder to allow the server to impose its cipher order on the client. Based on a patch provided by Marcel Šebek. (schultz) fix 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt) fix In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko) fix 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt) fix 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt/kkolinko) fix 54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt) fix Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one, and of filter instances if their destroy() method fails with an Error. (kkolinko) fix 54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt) fix 54483: Correct one of the Spanish translations. Based on a suggestion from adinamita. (kkolinko) update 54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt) Coyote fix 54248: Ensure that byte order marks are swallowed when using a Reader to read a request body with a BOM for those encodings that require byte order marks. (markt) fix 54324: Allow APR connector to disable TLS compression if OpenSSL supports it. (schultz) fix 54456: Ensure that if a client aborts a request when sending a chunked request body that this is communicated correctly to the client reading the request body. (markt) update Update the native component of the APR/native connector to 1.1.27 and make that version the recommended minimum version. (kkolinko) Jasper fix 54615: Tomcat 6 doesn't build against ecj 4.x (kkolinko) Cluster fix 54045: Make sure getMembers() returns available member when TcpFailureDetector works in static cluster. (kfujino) Web applications update 22278: Add a commented out sample configuration of RemoteAddrValve to META-INF/context.xml files of the Manager and Host Manager applications. (kkolinko) fix 54080: Clarify documentation for initial value of internalProxies attribute of RemoteIpValve. (schultz/kkolinko) fix 54198: Clarify that HttpServletResponse.sendError(int) results in an HTML response by default. (markt) fix 54207: Correct JNDI factory package name in Javadoc for org.apache.naming.java.javaURLContextFactory. (markt) Other update Add sample Apache Commons Daemon JSVC wrapper script bin/daemon.sh that can be used with /etc/init.d. (kkolinko) update In the build configuration: introduce property "tomcat.output" that is used to specify location of the build output directory. This simplifies configuration if someone wants to move the output directory elsewhere (e.g. out of the source tree). (kkolinko) fix 54390: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME. (schultz) update 54601: Change catalina.sh to consistently use LOGGING_MANAGER variable to configure logging, instead of modifying JAVA_OPTS one. (kkolinko) update 54890: Update to Apache Commons Daemon 1.0.15. (mturk) |
||
---|---|---|
.. | ||
files | ||
DESCR | ||
distinfo | ||
Makefile | ||
MESSAGE | ||
PLIST |