Due to the current gap in continued funding from the U.S. National Science Foundation (NSF), the NSF Unidata Program Center has temporarily paused most operations. See NSF Unidata Pause in Most Operations for details.
If by chance you are still running a super old Tomcat version, there is a new CVE with a high level of severity. Please upgrade to the latest version. ---------- Forwarded message --------- From: Mark Thomas <markt@xxxxxxxxxx> Date: Fri, Jan 19, 2024 at 8:27 AM Subject: Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx> Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx < announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx> Correcting the CVE reference in the text (the subject line is correct) Mark On 19/01/2024 10:17, Mark Thomas wrote: > CVE-2023-21733 Apache Tomcat - Information Disclosure > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 9.0.0-M11 to 9.0.43 > Apache Tomcat 8.5.7 to 8.5.63 > > Description: > Incomplete POST requests triggered an error response that could contain > data from a previous request from another user. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 9.0.44 or later > - Upgrade to Apache Tomcat 8.5.64 or later > > Credit: > This vulnerability was reported responsibly to the Tomcat security team > by xer0dayz from Sn1perSecurity LLC. > > History: > 2024-01-19 Original advisory > > References: > [3] https://tomcat.apache.org/security-9.html > [4] https://tomcat.apache.org/security-8.html -- ------------------------------------------------------------------------------------ Jennifer Oxelson Ganter NSF Unidata Software Engineer IV P.O. Box 3000 oxelson@xxxxxxxx Boulder, CO 80307 ------------------------------------------------------------------------------------
thredds
archives: