Basically. I start with the tomcat distro, apply my changes, then zip it up and distribute. I'm at a situation when patches are preferable over a complete reinstall of my product thus the inquiry. I can probably just replace all the tomcat bits and be done with it.
On Thu, Oct 18, 2018, 8:52 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alex, > > On 10/14/18 18:06, Alex O'Ree wrote: > > Is there perhaps a patch that can be applied or better yet, a list > > of jars that are were affected by this? (I'm just trying to find a > > simple way to patch a large volume of servers) > > There is nothing official. Nobody has individually identified which > svn revisions fix this issue, so your only options really are: > > 1. Grab the previous version from source, apply all patches and deploy > (this is the same as just grabbing the new binaries, assuming you > trust ASF distros) > > 2. Grab the new binaries, determine which JARs are different (which > may not be super-easy), then copy those to each server. But then you > have a server which reports x.y.z but is actually x.y.z+∂ :( > > 3. Look at all the commits in ∂ and try to guess the problem. Then, > mitigate it at e.g. reverse-proxy of WAF level. One way would be to > prevent redirects to sites other than your own (which is really the > big danger for open-redirects). Just look for sketchy-looking Location > response headers. :) > > I'm curious how you handle upgrades in general. This certainly isn't > the first security issue inn Tomcat that requires an update in your > environment. How do you usually handle updates? > > - -chris > > > On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Mark and Michael, > > > > On 10/10/18 05:15, Mark Thomas wrote: > >>>> On 08/10/18 21:55, Michael Yoder wrote: > >>>>> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas > >>>>> <ma...@apache.org> wrote: > >>>>>> CVE-2018-11784 Apache Tomcat - Open Redirect > >>>>> > >>>>> Is it possible to get more information on the "specially > >>>>> crafted URL"? I'd like more information so that I can test > >>>>> if some of our apps are vulnerable. > >>>> > >>>> Generally, there is a balance to strike here between making > >>>> it easy for the less technically competent attackers to > >>>> construct an attack and making it easy for end users to > >>>> figure out if they are vulnerable. The way we typically do > >>>> this is by describing the conditions necessary for an attack > >>>> to be possible as completely as possible but not providing > >>>> details of how to perform an attack. > >>>> > >>>> We also provide references to the commit that fixed the > >>>> issue. For someone with the right skills, there is usually > >>>> enough information in the description and the commit for a > >>>> successful attack to be reverse engineered. > > > > It doesn't look like Sergey has posted anything (that I can find) > > that might be called a full disclosure. If he had, I'd point it > > out. > > > > If I were you, I'd just make sure that you either (a) upgrade or > > (b) use the existing settings to mitigate the potential problem, > > as described in the announcement. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvInigACgkQHPApP6U8 > pFhgDw/+L0SpWHz4IACgy7xB4ekyHpIt/5wbOEbqTfyZAh0m+LrSZgI73zPJuHtt > pLnpwgx3lqwCiWTTFFpK8CqhiQ+a+2dKtSTeDlKRJuU4QZLDMSrgYpcWlGJ3h6w/ > LiM2KlnJ1i/jI95NVvoW8HFh/6wHCJLJV+czZJja3Uh/xQz/MTWhmh5dx3eVEIY6 > 7WTB/JNO02wzM8EudqHypypXmwI0pMLbsMsjTSikIHf8m41Qyd+XrY60DKZul8dv > L6bolXxH23vGnxiv4fnN+tGzIaT1ptXmJ6u/MWFUODtD3PVR3CdjIp2JrXFd3GVN > wGEow0tPRa3tsUvL/frllk22xhzbtxzu1M0Rf9U02TLB4nolyBIdJ5e3OyAnmS/Q > ap3aAPVnFWz2twBxUbuXkk4aZ39YziziWqyFO36y5BFNKI5EQlI3GryDbmBZ6SeT > vOJnMDwLy8o6kRcChNh1LmpjnbZMTYPmSkKEhfzf1tocDdBHZmd5yTIjBNrS0++V > n572zrrTWiBbca39QKFqEgmB5iy4fWpkVYHPKqmOVT7JLhI74WRnKap9dqrSDGrP > n1F4AjfuUjmG8H5Vo01bHWBav4aJuMDrLQ+Sr+sUl6uWPu5DDsG+1W9t2JAyC2Vq > tfP9XLMNBDV+f0BUaYt2aPXmBmLe5IP8FNVAzO1W/2VJG7c1UrM= > =E/P3 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
