« August 2011 | Main | October 2011 »

6 posts from September 2011

09/22/2011

Apache Tomcat 5.5.34 Released

The Apache Tomcat team quietly released version 5.5.34 today.  At the time of this writing, there is no release announcement on the site yet other than a short blurb stating that it is out and that security and bug fixes are included.  

The changelog (not yet updated at the time this was posted) contains all the changes and you can download a copy from a mirror near you.

In addition, the Apache Tomcat team again announced the end-of-life date for Tomcat 5.5.

09/14/2011

Apache HTTP Server 2.2.21 Released

The Apache httpd server team released version 2.2.21!  This release fixes a couple security vulnerabilities as well as some other bugs.  The vulnerabilities addressed in this release are:

  • SECURITY: CVE-2011-3348 (cve.mitre.org)

    mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service.

  • SECURITY: CVE-2011-3192 (cve.mitre.org)

    core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.

So, yeah, this release further addresses the recently patched Apache Range Header Denial of Service Vulnerability and also introduces a new configuration directive: MaxRanges.

The changelog details everything new and fixed in this release and you can download a copy from a mirror near you.

09/07/2011

GlobalSign Temporarily Ceases SSL Certificate Issuance

See this article on ABC News for more details as Belgium-based Certificate Authority GlobalSign has temporarily ceased ssl certificate issuance in the wake of the announcement yesterday from comodohacker that he(?) has managed to breach 4 other major CAs. GlobalSign was the only one of the four high-profile CAs specifically named.