블로그 이미지
News and Announcements (at) Apache Software Foundation. 노안돼지
Apache Software Foundation The Apache User Group KLDP From download

Recent Post»

Recent Comment»

Recent Trackback»

Archive»

« 2011/8 »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
 
 
아파치 소프트웨어 재단은 아파치 오픈 소스 소프트웨어 프로젝트 커뮤니티 지원을 제공합니다.
아파치 프로젝트는 협업과 개발 프로세스를 기반으로 하는 상호간의 공감대와 개방되어 있는 실용적인 소프트웨어 라이센스, 그 분야에서 선두를 달릴 수 있는 고품질 소프트웨어 개발을 추구하고 있습니다.

우리는 심플한 서버 공유 프로젝트의 모임이라고도 하지만 오히려 개발자와 사용자간의 커뮤니티라고 생각합니다.

Apache Commons Daemon fails to drop capabilities (Apache Tomcat) 보안 취약점

뉴스/소식 | 2011. 8. 16. 17:52 | Posted by 노안돼지
CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.19
Tomcat 6.0.30 to 6.0.32
Tomcat 5.5.32 to 5.5.33

Description:
Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only applies if:
a) Tomcat is running on a Linux operating system
b) jsvc was compiled with libcap
c) -user parameter is used
The Tomcat versions above shipped with source files for jsvc that included this vulnerability.

Mitigation:
Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions:
a) upgrade to jsvc 1.0.7 or later
b) do not use -user parameter to switch user
c) recompile the jsvc without libcap support

Updated jsvc source is included in Apache Tomcat 7.0.20 and will be included in the next releases of Tomcat 6.0.x and 5.5.x. Updated source can be obtained from the Apache Commons Daemon project.

Credit:
This issue was identified by Wilfried Weissmann.
저작자표시 비영리 동일조건
:

Apache Commons Daemon Information 보안 취약점

뉴스/소식 | 2011. 8. 16. 17:51 | Posted by 노안돼지
CVE-2011-2729: Commons Daemon fails to drop capabilities

Severity: high

Vendor:
The Apache Software Foundation

Versions Affected:
Commons Daemon 1.0.3 to 1.0.6
Additionally, these vulnerabilities only occur when all of the following are true:
a) running on Linux operating system
b) jsvc was compiled with libcap
c) -user parameter is used

Description:
Due to bug in capabilities code, jsvc does not drop capabilities allowing the application to access files and directories owned by superuser.

Mitigation:
Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions:
a) upgrade to a version where the vulnerabilities have been fixed  jsvc 1.0.3 - 1.0.6 users should upgrade to 1.0.7 version
b) do not use -user parameter to switch user
c) recompile the jsvc without libcap support

Example:
[root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.6.jar:. -user jsvc ....
[root@fedora jsvctest]# grep ^Cap /proc/<pid>/status
CapInh: 0000000000000406
CapPrm: 0000000000000406
CapEff: 0000000000000406
CapBnd: ffffffffffffffff

[root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.7.jar:. -user jsvc ....
[root@fedora jsvctest]# grep ^Cap /proc/<pid>/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff

Credit:
This issue was identified by Wilfried Weissmann.
저작자표시 비영리 동일조건
:

Apache Commons Daemon 1.0.7 릴리즈

뉴스/소식 | 2011. 8. 16. 17:49 | Posted by 노안돼지
The Apache Commons Daemon team is pleased to announce the commons-daemon-1.0.7 release!
Version 1.0.7 is bug fix release fixing the CVE-2011-2729 security issue.

Source and binary distributions are available for download from the Apache Commons download site:

http://commons.apache.org/daemon/download_daemon.cgi

When downloading, please verify signatures using the KEYS file available at the above location when downloading the release.

For more information on Apache Commons Daemon, visit the Commons Daemon home page:

http://commons.apache.org/daemon/
저작자표시 비영리 동일조건
:

Apache Tomcat 7.0.20 릴리즈

뉴스/소식 | 2011. 8. 16. 17:49 | Posted by 노안돼지
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.20

Apache Tomcat 7.0.20 includes bug fixes and the following new features and fixes compared to version 7.0.19:
- JSP files with dependencies in JARs are no longer recompiled on every access thereby improving performance.
- Update to version 1.1.22 of the native component of the AJP and HTTP APR/native connectors.
- Update to Commons Daemon 1.0.7.
- Converted unit tests to JUnit 4.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three
bundled with Tomcat native binaries for Windows operating systems
running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html



-- The Apache Tomcat Team
저작자표시 비영리 동일조건
:

Apache Subversion 1.7.0-beta3 릴리즈

뉴스/소식 | 2011. 8. 16. 17:48 | Posted by 노안돼지
This is a pre-release for what will eventually become Apache Subversion 1.7.0.  There may still be minor issues, but all known blocking issues have been fixed.

A pre-release means the Subversion developers feel that this release is ready for widespread testing by the community.  Please use it at your own risk, though we do encourage people to test this release
thoroughly.  Of particular note, please remember than persistent data, such as the working copy or repository formats may change before the final release, and there may not be an upgrade path from the
pre-releases to the final.

As a note to operating system distro packagers: while we wish to have this release candidate widely tested, we do not feel that it is ready for packaging and providing to end-users through a distro package system.  Packaging a release candidate poses many problems, the biggest being that our policy lets
us break compatibility between the release candidate and the final release, if we find something serious enough.  Having many users depending on a release candidate through their distro would cause no end of pain and frustration that we do not want to have to deal with.  However, if your distro has a branch that is clearly labeled as containing experimental and often broken software, and explicitly destined to consenting developers and integrators only, then we're okay with packaging the release candidate there.  Just don't let it near the end users please.


Release notes for the 1.7.x release series may be found at:

   http://subversion.apache.org/docs/release-notes/1.7.html

You can find the list of changes between 1.7.0-beta3 and earlier versions at:

   http://svn.apache.org/repos/asf/subversion/tags/1.7.0-beta3/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- The Subversion Team
저작자표시 비영리 동일조건
:
 

티스토리툴바