블로그 이미지
News and Announcements (at) Apache Software Foundation. 노안돼지
Apache Software Foundation The Apache User Group KLDP From download

Recent Post»

Recent Comment»

Recent Trackback»

Archive»

« 2011/8 »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

 
 
아파치 소프트웨어 재단은 아파치 오픈 소스 소프트웨어 프로젝트 커뮤니티 지원을 제공합니다.
아파치 프로젝트는 협업과 개발 프로세스를 기반으로 하는 상호간의 공감대와 개방되어 있는 실용적인 소프트웨어 라이센스, 그 분야에서 선두를 달릴 수 있는 고품질 소프트웨어 개발을 추구하고 있습니다.

우리는 심플한 서버 공유 프로젝트의 모임이라고도 하지만 오히려 개발자와 사용자간의 커뮤니티라고 생각합니다.
CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.20
- Tomcat 6.0.0 to 6.0.33
- Tomcat 5.5.0 to 5.5.33
- Earlier, unsupported versions may also be affected

Description:
Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have
full control over the AJP message which allowed an attacker to (amongst other things):
- insert the name of an authenticated user
- insert any client IP address (potentially bypassing any client IP address filtering)
- trigger the mixing of responses between users

The following AJP connector implementations are not affected:
org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)

The following AJP connector implementations are affected:

org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)

Further, this issue only applies if all of the following are are true
for at least one resource:
- POST requests are accepted
- The request body is not processed


Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a version of Apache Tomcat that includes a fix for this
issue when available
- Apply the appropriate patch
 - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
 - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
 - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the
requiredSecret attribute
- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
available for Tomcat 7.0.x)

Credit:
The issue was reported via Apache Tomcat's public issue tracker.
The Apache Tomcat security team strongly discourages reporting of
undisclosed vulnerabilities via public channels. All Apache Tomcat
security vulnerabilities should be reported to the private security team
mailing list: security@tomcat.apache.org

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698


:

Apache Tomcat 6.0.33 릴리즈

뉴스/소식 | 2011. 8. 19. 16:18 | Posted by 노안돼지
The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.33 stable.

Apache Tomcat 6.0.33 is primarily a security and bug fix release.
All users of older versions of the Tomcat 6.0 family should upgrade to 6.0.33.

Note that is version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for different CPU architectures.

Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from Apache Tomcat 5.5.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team
:

Apache JMeter 2.5 릴리즈

뉴스/소식 | 2011. 8. 19. 00:08 | Posted by 노안돼지
The Apache JMeter team announces the availability of Apache JMeter 2.5
r1158837.

This is a new release which adds many new features and corrects a lot of bugs.

JMeter 2.5 requires Java 1.5 or later to run.

== All users are recommended to upgrade. ==

Apache JMeter is a Java application designed to test server applications.
It can be used to:
* generate test loads
* test functional behaviour
* measure performance.
It includes support for protocols such as HTTP(S), JDBC, JMS, FTP, and
others.
It can also be extended with user-written code.

See http://jakarta.apache.org/jmeter/

The release can be downloaded from:

http://jakarta.apache.org/site/downloads/downloads_jmeter.cgi

When downloading, please verify signatures using the KEYS file.

Only the binary archive is needed to run JMeter - there is no need to
download the source archive.

However there are some optional libraries which are not included.
See the "Getting Started" page for details:
http://jakarta.apache.org/jmeter/usermanual/get-started.html

The list of changes since version 2.4 can be found at:

http://jakarta.apache.org/jmeter/changes.html

All users are recommended to upgrade to this release.

Enjoy!
The JMeter team
:

Apache AntUnit 1.2 릴리즈

뉴스/소식 | 2011. 8. 19. 00:07 | Posted by 노안돼지
The Apache Ant Team is proud to announce the 1.2 release of Apache AntUnit.

AntUnit is a library of task and types for Apache Ant that can be used to perform functional tests using Ant build file.  It is especially well suited to test Ant tasks and types themselves.

Version 1.2 is mostly a bugfix release but also adds some new assertions and now supports passing of Ant references to the build under test.

Souurce and binary distributions are available from the Apache Ant download site:

http://ant.apache.org/antlibs/bindownload.cgi

Please verify signatures using the KEYS file available at the above location when downloading the release.

Changes in this version include

 


For complete information on AntUnit, including instructions
on how to submit bug reports, patches, or suggestions for improvement,
see the Apache AntUnit website:

http://ant.apache.org/antlibs/antunit/index.html

Stefan Bodewig, on behalf of the Apache Ant community
:

Apache Tomcat information 보안 취약점

뉴스/소식 | 2011. 8. 16. 17:53 | Posted by 노안돼지
CVE-2011-2481: Apache Tomcat information disclosure vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.16
Previous versions are not affected.

Description:
The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability previously reported as CVE-2009-0783. This was initially reported as a memory leak
(https://issues.apache.org/bugzilla/show_bug.cgi?id=51395). If a web application is the first web
application loaded, this bug allows that web application to potentially view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance.

Mitigation:
7.0.x users should upgrade to 7.0.17 or later

Example:
See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an example web application that can be used to replace the XML parser used by Tomcat.

Credit:
The security implications of bug 51395 were identified by the Tomcat
security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html

The Apache Tomcat Security Team
: