Skip to main content

Tomcat Security Issue - Information Disclosure

A new Tomcat security issue has been reported that affects Tomcat versions 7.0.0 through 7.0.21 and versions 6.0.30 through 6.0.33.

According to the Tomcat mailing lists:

"CVE-2011-3375 Apache Tomcat Information disclosure

Severity: Important

Description:
For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request.

The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.22 or later
- Tomcat 6.0.x users should upgrade to 6.0.35 or later

Credit:
The issue was initially reported via Apache Tomcat's public issue tracker with the potential security implications identified by the Apache Tomcat security team."

Comments

Popular posts from this blog

A Simple Makefile for a GTK/GTKMM Project

When compiling small applications, its fairly easy just to compile using g++ from the command line. If you’re compiling anything more complex than a single file, its probably easier to use a Makefile. This example Makefile demonstrates how to compile an application that uses the GTKMM library. NAME=my-app CFLAGS=-g -Wall -o $(NAME) GTKFLAGS=`pkg-config --cflags --libs gtkmm-3.0` SRCS=main.cc myapp.cc CC=g++ # Do all all: main # Compile main: $(SRCS) $(CC) $(CFLAGS) $(SRCS) $(GTKFLAGS) # Clean clean: rm -f $(NAME) rm -f *.h~ rm -f *.cc~ rm -f Makefile~ rm -f *.glade~

Changing Default Search Provider in Firefox on Linux Mint

On Linux Mint, the default version of Firefox is installed and configured to allow the following search engines to be queried directly from the address bar: Yahoo! Startpage DuckDuckGo Wikipedia Mint defines these as the default available set of search engines based upon 3 criteria (funding to Linux Mint, privacy support and whether the search engine is non-commercial). Other search engines such as Google, Bing or Twitter, etc. can easily be added into the default version of Firefox however. To add a different search provider, browse to Search Engines At the bottom of the page, click on the icon of the requested search engine, then click on the ... button in the URL bar and select the Add Search Engine option. You then have the option to change the default search engine within Firefox preferences to your new choice.

Eclipse releases Ganymede

The Eclipse Foundation has  released  Ganymede, the latest annual release this time containing 23 Eclipse projects including the Eclipse IDE version 3.4. This latest version of the annual Eclipse release contains many new features including: Equinox P2  - a system to make installations and updated to Eclipse easier JSDT  - A new JavaScript editor Improved JavaScript support for the Business Intelligence and Reporting Tools,  BIRT Graphical database query tools Improved support for Java EE 5 SOA support and many other features. Further information, inclusing webinars and demos can be found on the  project website  . This new release can be downloaded from the  Eclipse web site  .