Timeline for New Release

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
mweidner
Posts: 1
Joined: Mon Oct 25, 2021 10:07 pm

Timeline for New Release

Post by mweidner »

Hi,

We've been running the Tomcat port for 8.5.57 for a number of years and earlier this year our Security Team forwarded the below Security Advisory to us so we are asking if there is a plan for new a port of one of the recommended versions and if so what the timeline might be for release?

Thanks
Mark

http://mail-archives.us.apache.org/mod_ ... che.org%3E

CVE-2021-33037 HTTP request smuggling

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.6
Apache Tomcat 9.0.0.M1 to 9.0.46
Apache Tomcat 8.5.0 to 8.5.66

Description:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: Tomcat
incorrectly ignored the transfer-encoding header if the client declared
it would only accept an HTTP/1.0 response; Tomcat honoured the identify
encoding; and Tomcat did not ensure that, if present, the chunked
encoding was the final encoding.</p>

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.7 or later
- Upgrade to Apache Tomcat 9.0.48 or later
- Upgrade to Apache Tomcat 8.5.68 or later
Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for
those versions did not pass.

History:
2021-07-12 Original advisory
Post Reply