Sun Country's Weblog archive
Date : November 8, 2011

[SECURITY] CVE-2011-3376 Apache Tomcat – Privilege Escalation via Manager app

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: Apache

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

CVE-2011-3376 Apache Tomcat – Privilege Escalation via Manager app

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
– – Tomcat 7.0.0 to 7.0.21

Description:
This issue only affects environments running web applications that are
not trusted (e.g. shared hosting environments). The Servlets that
implement the functionality of the Manager application that ships with
Apache Tomcat should only be available to Contexts (web applications)
that are marked as privileged. However, this check was not being made.
This allowed an untrusted web application to use the functionality of
the Manager application. This could be used to obtain information on
running web applications as well as deploying additional web applications.

Mitigation:
Users of Tomcat 7.0.x should upgrade to 7.0.22 or later

Credit:
This issue was identified by Ate Douma

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla – http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOuWxPAAoJEBDAHFovYFnng3oP/jkYsplqxz9hjWi6uztQK3Gv
BlS1IlbyqW5HW8rqr/pyfLWDDiJZUc+FmWRbyT96r/V4z0w4oGglGi289owLr1Lx
bsGlauWQhZh7k5nWKboMVEk6CjGOXVQ9zMJJwhEkrXn6/HNV5O65F/0nnLoHgStM
DNyKKpYDtc6XCI7+Pcutv3fqkk9niF3KSF3rePKlpUstVbuLx9HlX+0fbj7+X4w/
PyE5R9tVfr3Toiwn546QQR73VkOSmAGt0IEE9P06oY50ruW3/Z6wJjVHrlJUsoQ3
txupoC+FCZ5ph8DfoeVzav6Y3W9dImXz6rzxm3YnUKCDZuWnGVNzDE4IUyKdRM5t
W/Smquaat8VxsxMbU34bSJHYA1m2nos4qPrQvJl2w0wKWrPFRnu4f8RImvg1BIPH
gZ17raqPjdoBuE3H4ivgF0DSasVdYM/Ge977B+6nD9jzwE6FEFAFCCRpbYvD/6SA
//QbqSlcULb6CKZ6D/rNbLSQ3e0QD6GYaz3HjJcCtJkqo2FoLGY88AxtoF4es5SB
thYJf7r51J9W8g7nvw+b7Y0+eG3IczsBA0spIoyzIKr1RxSEFE2220idPdotpjAf
aticEwF9U5przWmwNab7lKUd91bo32ZVtvIprPGL/NfHrL3KC891gjYqkQtrcJC5
SkiQ74ix/uGZTB6HHCWm
=wak3
—–END PGP SIGNATURE—–

———————————————————————
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org

Share

[ANNOUNCE] Apache Tika 1.0 released

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: Apache

(…apologies for the cross posting…)

The Apache Tika project is pleased to announce the release of Apache Tika
1.0. The release contents have been pushed out to the main Apache release
site and to the Maven Central sync, so the releases should be available as
soon as the mirrors get the syncs.

Apache Tika is a toolkit for detecting and extracting metadata and
structured text content from various documents using existing parser
libraries.

Apache Tika 1.0 contains a number of improvements and bug fixes. Details can
be found in the changes file:

http://www.apache.org/dist/tika/CHANGES-1.0.txt

Apache Tika is available in source form from the following download page:
http://www.apache.org/dyn/closer.cgi/tika/apache-tika-1.0-src.zip

Apache Tika is also available in binary form or for use using Maven 2 from
the Central Maven Repository:

http://repo1.maven.org/maven2/org/apache/tika/

In the initial 48 hours, the release may not be available on all mirrors.
When downloading from a mirror site, please remember to verify the downloads
using signatures found on the Apache site:

http://www.apache.org/dist/tika/KEYS

For more information on Apache Tika, visit the project home page:

http://tika.apache.org/

— Chris Mattmann (on behalf of the Apache Tika community)

DotNetNuke 6.1 Exploits Cool HTML5 Rendering

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: cnet, Information Week - UBM

http://www.informationweek.com/news/231902433

 

Japan’s Rakuten buys maker of Borders’ e-reader

The Evercookie: Like trying to kill Steven Seagal

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: cnet, Computerworld / IT World / IDG, The Register

http://www.theregister.co.uk/2011/11/08/how_to_stay_anonymous_part_ii/

 

How to know when your private data is lost or stolen

 

Microsoft patches critical Windows bug, but not Duqu flaw

 

FTC settles privacy complaint against online ad network

Apple Store app now offers in-store pickup, self-checkout

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: Cars, cnet, Movies - Theatre, The Register

http://goo.gl/t5L8Y

I’ve decided to match this policy.

 

Production electric motorcycle breaks 100 mile range

 

2012 Mercedes-Benz SLK350: Ferocious toy

 

Peter Jackson reveals 3D secrets behind ‘Hobbit’

Hidden panorama mode uncovered in iOS camera

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: cnet, Computerworld / IT World / IDG, The Register

http://goo.gl/JXwpN

 

New Relic now monitors server performance

 

Oregon offers vote by fondleslab-swipe

 

Modern Warfare 3 launches, ready for war with Battlefield 3

 

Thunderbird 8 arrives–with Lightning 1.0 calendar

Firefox with Twitter

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: Twitter

https://twitter.com/#!/download/firefox

Sybase Extends Innovation in Capital Markets Analytics by Integrating Sybase RAP with the Statistical Programming Language R

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: Sybase

http://www.sybase.com/detail?id=1095419

 

62% of Consumers Are Poised to Make Purchases With Their Mobile Devices This Holiday Season, According to Survey From Sybase 365 and Mobile Marketing Association

Sprint Has Something for Everyone on the Holiday Shopping List

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: Sprint

http://newsroom.sprint.com/article_display.cfm?article_id=2095

Fedora 16 Combines Sophisticated Cloud and Virtualization Features with Usability

by alan
Published on: November 8, 2011
Comments: No Comments
Categories: Red Hat

http://goo.gl/l7vfv

Flattr Me
Categories
Welcome , today is Tuesday, November 25, 2014