Sun Country's Weblog archive
Date : April 6, 2011

4 from Apache

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Apache


[SECURITY] CVE-2011-1475 Apache Tomcat information disclosure

CVE-2011-1475 Apache Tomcat information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.11
- Earlier versions are not affected

Description:
Changes introduced to the HTTP BIO connector to support Servlet 3.0
asynchronous requests did not fully account for HTTP pipelining. As a
result, when using HTTP pipelining a range of unexpected behaviours
occurred including the mixing up of responses between requests. While
the mix-up in responses was only observed between requests from the same
user, a mix-up of responses for requests from different users may also
be possible.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat 7.0.12 or later
- Switch to the NIO or APR/native HTTP connectors that do not exhibit
this issue

Credit:
This issue was identified by Brad Piles and reported via the public ASF
Bugzilla issue tracking system.
The Apache Tomcat security team requests that security vulnerability
reports are made privately to security@tomcat.apache.org in the first
instance.

References:

http://tomcat.apache.org/security.html

http://tomcat.apache.org/security-7.html

———————————————————————
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org


[SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass

CVE-2011-1183 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.11
- Earlier versions are not affected

Description:
A regression in the fix for CVE-2011-1088 meant that security
constraints were ignored when no login configuration was present in the
web.xml and the web application was marked as meta-data complete.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat 7.0.12 or later
- Ensure a login configuration is defined in web.xml

Credit:
This issue was identified by the Apache Tomcat security team.

References:

http://tomcat.apache.org/security.html

http://tomcat.apache.org/security-7.html

———————————————————————
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org


[ANN] Apache Tomcat 7.0.12 released

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.12.

Apache Tomcat 7.0.12 includes bug fixes and the following new features
compared to version 7.0.11:

* initial support for SPNEGO/Kerberos authentication (also referred to
as Windows authentication);
* provide a new configuration option to define a close method to call on
a JNDI resource when it is no longer required;
* optional support for pre-emptive authentication.

Please refer to the change log for the list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Known issues:
* HTTP pipelining is likely to fail with 505 errors with the HTTP BIO
connector (bug 50957). The other connectors (HTTP NIO, HTTP APR/native,
AJP BIO & AJP APR/native) are not affected.

Note that this version has 4 zip binaries: a generic one and three
bundled with Tomcat native binaries for Windows operating systems
running on different CPU architectures.

Downloads:

http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:

http://tomcat.apache.org/migration.html

Thank you,

– The Apache Tomcat Team

———————————————————————
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org


[ANNOUNCEMENT] Apache Gora 0.1-incubating Released

Hi All,

The Gora community has released Apache Gora 0.1-incubating under the
Apache Incubator.

Apache Gora is an ORM framework for column stores such as Apache HBase
and Apache Cassandra with a specific focus on Hadoop.

The source files for 0.1-incubating release is available at:

http://www.apache.org/dist/incubator/gora/0.1-incubating

In the new hours, the release may not be available on all mirrors.
When downloading from a mirror site, please remember to verify the
downloads using signatures found on the Apache site:

http://www.apache.org/dist/incubator/gora//0.1-incubating/KEYS-0.1-incubating

For more information on Apache Gora, visit the project home page:

http://incubator.apache.org/gora/

Thanks,

Henry
Apache Gora 0.1-incubating Release Manager

———————————————————————
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org

Android Developers Blog: I think I’m having a Gene Amdahl moment

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Android / Chrome / Google

http://goo.gl/s4ncy

Sprint Extends Agreement Worth $1.2 Billion to Provide Wireline/Wireless Voice and Data Services to VHA, the Leading National Health Care Purchasing Network

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Sprint

http://newsroom.sprint.com/article_display.cfm?article_id=1856


Assurance Wireless to Aid Arkansas Residents Facing Economic Hardship with Free Cell Phone and Wireless Service


http://newsroom.sprint.com/article_display.cfm?article_id=1855

Industrial Light & Magic’s Rango Rides Into the Wild West With Help From NVIDIA Quadro

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Movies - Theatre, nVidia

http://pressroom.nvidia.com/easyir/customrel.do?easyirid=A0D622CE9F579F09&version=live&prid=741106&releasejsp=release_157&xhtml=true

How many people who work at Pixar are actually part of the movie?

Novell First to Enable Development of .NET Applications for Android using Microsoft Visual Studio

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Novell

http://www.novell.com/news/press/2011/4/novell-first-to-enable-development-of-net-applications-for-android-using-microsoft-visual-studio.html

Fixing the little things – Official Gmail Blog

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Android / Chrome / Google

http://gmailblog.blogspot.com/2011/04/fixing-little-things.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed: OfficialGmailBlog (Gmail Blog)

Oracle’s New x86 Servers Demonstrate World Record 4 Processor Performance on Industry-Standard Benchmark

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Oracle

http://www.oracle.com/us/corporate/press/354638

IBM Sets Performance Records with New eX5 Servers

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: IBM

http://www-03.ibm.com/press/us/en/pressrelease/34204.wss

HP Enables Increased Productivity for Business Customers and Mobile Professionals

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Hewlett-Packard

http://www.hp.com/hpinfo/newsroom/press/2011/110406xb.html?mtxs=rss-corp-news

New Inkjet Printers.

Interesting Facts.

Can print 500 pages by using a fully charged lithium ion battery

Bluetooth Wireless

50-sheet paper tray

22ppm

Can connect to a PictBridge compatible device

Energy Star qualified


HP Advances Software Strategy with Plans for New Bay Area Facility


http://www.hp.com/hpinfo/newsroom/press/2011/110406a.html?mtxs=rss-corp-news

Official Google Blog: Ladies and gentlemen, start your editors! Registration now open for Google Code Jam 2011

by alan
Published on: April 6, 2011
Comments: No Comments
Categories: Android / Chrome / Google

http://goo.gl/mQxNc


Supporting our beloved science museums


http://goo.gl/s2w4o

Page 2 of 512345
Relatives & Friends Web Sites
Deballage Portland


Leah''s Pastries


My Uncle''s Handcrafted Night Lights


Oracle Solaris 11 First Looks - I was a Technical Reviewer for this book


Power & Compassion Christian Marriage Retreat


Support this blog by shopping on Amazon
Categories
Recent Posts
  • WTF is… LTE Advanced?… by alan
    thumb

    WTF is… LTE Advanced?   ‘Lab-smashing’ Stuxnet HELPED Iran’s nuke effort, says brainiac

  • New smart fabric mimics the… by alan
    thumb

    http://goo.gl/tlRw2

  • AWS cloud gains critical fe… by alan
    thumb

    http://www.theregister.co.uk/2013/05/21/amazon_aws_certification/

  • How to migrate a user accou… by alan
    thumb

    http://goo.gl/H4h2g   If you use the command line logon for Solaris you can get by without creating an files in your home directory.  For Gnome (The Desktop) you can just tar up the home directory and untar it onto a different system. The obvious way to do this of course is to use Network Information[...]

  • Spotify debuts weekly top 5… by alan
    thumb

    Spotify debuts weekly top 50   Optical drives not working with Mountain Lion for some

  • Sprint: Oklahoma $0, Boost/… by alan
    thumb

    Sprint to Waive Voice, Data and Text Messaging Overage Charges for Oklahoma Residents Affected by Recent Tornado   Boost Mobile and Virgin Mobile USA Each Strengthen Their 4G LTE Lineups With Award-Winning Samsung Galaxy S III in June   Waterproof Kyocera Hydro Edge Splashes into Sprint and Boost Mobile this Summer   Boost Mobile Customers[...]

  • Dell to Enable Hyper-V and … by alan
    thumb

    http://www.fortmilltimes.com/2013/05/20/2703474/dell-to-enable-hyper-v-and-windows.html

  • Cloud Computing Grows Up: B… by alan
    thumb

    http://goo.gl/U4GSa

  • Quantum Delivers Simple, Op… by alan
    thumb

    http://phx.corporate-ir.net/phoenix.zhtml?c=69905&p=RssLanding&cat=news&id=1822582

  • Active Directory, 5th Edition by alan
    thumb

    http://goo.gl/p8vNo

Categories
Recent Comments
  • AlanPae on Homeland Security cuts off …
    From Mt.Gox Web Site:  https://mtgox.com/press_release_20130515.html alan
  • AlanPae on SPARC T5-8 (Fastest CPU Eve…
    Another thing to consider would be to roll your own Apache/MySql/phpMyAdmin/php and then just run it all locally.  Shouldn't have ...
  • AlanPae on ecSTATic WordPress Statisti…
    Looking over the comments for the just released update to WordFence: 3.6.1 Major new release that includes the much asked for IP ...
  • AlanPae on Tech Support or Pest Removal?
    I'm told the mouse was released unharmed into a field.
  • AlanPae on Baby, Baby (b)
    Rabbits, Otters, Cheetahs, Owls
  • price on Crooks inject malicious Jav…
    In case of online forex transactions, a small bug in the software can transform into a huge security threat ...
  • AlanPae on DOS based web sites?
    Still More Feedback:network.http.max-connections-per-server;15 <-- Will bump this up  network.http.max-persistent-connections-per-server;6 <-- This as well. "A single-user client SHOULD NOT maintain more than 2 ...
  • AlanPae on DOS based web sites?
    Got some feedback.Setting these in Firefox's about:config greatly alleviated the issue:network.http.pipelining.ssl;truenetwork.http.proxy.pipelining;truenetwork.http.pipelining.maxrequests;64 network.http.pipelining.max-optimistic-requests;20network.http.pipelining.aggressive;truenetwork.http.pipelining;truenetwork.http.max-connections-per-server;64network.http.max-persistent-connections-per-server;64.I'm also now seeing connections coming from:static.twtelecom.netWhich is different ...
  • AlanPae on DOS based web sites?
    Got some more feedback.Specifically:Setting in Firefox about:confignetwork.http.pipelining.ssl;truenetwork.http.proxy.pipelining;truenetwork.http.pipelining.maxrequests;64network.http.pipelining.max-optimistic-requests;20network.http.pipelining.aggressive;truenetwork.http.pipelining;truenetwork.http.max-connections-per-server;64network.http.max-persistent-connections-per-server;64Has greatly reduced the issue.  I'm also seeing connections from: static.twtelecom.netWhich I wasn't seeing yesterday ...
  • AlanPae on Research In Motion Launches…
    Like anyone else RIM will probably go wherever they can as long as revenue greater than expenses.
Welcome , today is Tuesday, May 21, 2013