Apache Tomcat Important Updates Released!
The Apache Tomcat developers have released versions 7.0.23, 6.0.34 and 5.5.35 of the Java servlet and JSP container after recent investigations revealed inefficiencies in how large numbers of parameters and parameter values were handled. Analysis of the recent hash collision denial of service vulnerability had allowed the developers to identify “unrelated inefficiencies” which could be exploited by a specially crafted request, causing large amounts of CPUto be consumed. The developers have now modified the code to efficiently process large numbers of parameters and values.
Tomcat 7.0.23 and 6.0.34 also address an information leakage issue which was not present in earlier versions. When parsing requests, for performance reasons, information is cached in two places and is not recycled at the same time. In certain circumstances one of those caches is reused leading to the previous request’s IP address and headers being left in the cache of the new request.
The Tomcat 7.0.23 release also includes some new features such as the ability to start and stop child containers in parallel, improved start times through caching and better handling of failed deployments. Full details of the new features and the many bug fixes are available in the 7.0.23 changelog.
There are also some bug fixes noted in the 5.5.35 changelog and 6.0.34 changelog. The developers also remind users that the Tomcat 5.5 branch reaches its end of life on 30 September 2012 and will almost completely disappear at the end of the year.
Read More: http://tinyurl.com/6ubhfu7
- CVE-2012-0022 Apache Tomcat Denial of Service, security advisory
- CVE-2011-3375 Apache Tomcat Information disclosure,security advisory