Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 367731

Summary: Upgrade Apache Tomcat to fix the hashtable collision DoS vulnerability
Product: [RT] Gemini.Web Reporter: Glyn Normington <glyn.normington>
Component: unknownAssignee: Violeta Georgieva <milesg78>
Status: CLOSED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: milesg78
Version: 2.0.1.RELEASE   
Target Milestone: 2.0.2.RELEASE   
Hardware: PC   
OS: Mac OS X - Carbon (unsup.)   
Whiteboard:
Bug Depends on:    
Bug Blocks: 367814    

Description Glyn Normington CLA 2012-01-03 04:53:57 EST 
Need to upgrade to Tomcat 7.0.23 or later.
Comment 1 Violeta Georgieva CLA 2012-01-04 05:12:37 EST 
More information is available here:
http://www.nruns.com/_downloads/advisory28122011.pdf
Comment 2 Violeta Georgieva CLA 2012-01-04 05:21:34 EST 
CQ5930 was created
Comment 3 Glyn Normington CLA 2012-01-11 10:07:51 EST 
Tomcat 7.0.23 is published to the EBR and committed to the EBR repository as 80f59fd9fa7cda57b6a937f018d6e76821b0ed4c.
Comment 4 Violeta Georgieva CLA 2012-01-14 13:33:36 EST 
There is an issue in Tomcat 7.0.23 that blocks us to use Tomcat binaries as they are - https://issues.apache.org/bugzilla/show_bug.cgi?id=52461

A workaround is to provide the default web.xml through "config" folder instead of loading it directly from org.eclipse.gemini.web.tomcat bundle.

The fix in Tomcat will be available in 7.0.24.
Comment 5 Violeta Georgieva CLA 2012-01-24 07:56:07 EST 
Apache Tomcat 7.0.25 is released and also contains the fix for the issue in version 7.0.23.

I'm going to update the CQs
Comment 6 Glyn Normington CLA 2012-01-24 08:53:02 EST 
Tomcat 7.0.25 is published to the EBR and committed to the EBR repository as 445ea98bb9bcc58d8d424ed29821c0557a5bb9fc.
Comment 7 Violeta Georgieva CLA 2012-02-16 06:32:10 EST 
The CQ for Tomcat 7.0.25 is approved.

Unfortunately I found another problem in Tomcat 7.0.25 related to annotation processing - see Tomcat bug [1].

We have several options here:
1. Update the Tomcat to 7.0.25 in order to have the security fix in place, but point that there is regression in annotation processing.

2. Wait for Tomcat 7.0.26 where the fix is included, but then we will delay the security fix delivery.

3. Update the Tomcat to 7.0.25 in order to have the security fix in place and include in GW ExtendedContextConfig the fixed method. Then when we have Tomcat 7.0.26 we will remove the temporary workaround.

Please comment on the different options.

Thanks
Violeta

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=52669
Comment 8 Glyn Normington CLA 2012-02-17 04:35:36 EST 
If Tomcat 7.0.26 is due before long, option 2 seems preferable, otherwise option 3 (but we may need a CQ if the fixed method is copied from Tomcat as CQ 5930 is for unmodified code).
Comment 9 Violeta Georgieva CLA 2012-02-27 15:00:57 EST 
Apache Tomcat 7.0.26 was released the last week. I made extra testing in order to check that there is no regression.

New CQ is created: 6288
Comment 10 Violeta Georgieva CLA 2012-03-09 09:47:15 EST 
CQ 6288 is approved
Comment 11 Glyn Normington CLA 2012-03-12 06:54:10 EDT 
Tomcat 7.0.26 uploaded to the EBR and committed as 5377bbf54b936cdbaa10a0283c86e028638ea390.
Comment 12 Violeta Georgieva CLA 2012-03-12 13:28:44 EDT 
Apache Tomcat is upgraded to 7.0.26 in "master" with commit Id: 6e514dab64e55ccd346434d38b4f8a2e5c7e293f
Comment 13 Violeta Georgieva CLA 2012-03-12 15:13:38 EDT 
Apache Tomcat is upgraded to 7.0.26 in "2.0.x" with commit Id:
219706c4557d2110105bd17921db0cd81d6aedae

New tag is created 2.0.2.RELEASE
Comment 14 Violeta Georgieva CLA 2012-03-13 05:18:43 EDT 
Gemini Web 2.0.2.RELEASE is available.