Apache TomEE is happy to announce the security related release of Apache TomEE 184.108.40.206 which is now based on Apache Tomcat 7.0.53 - The principal focus of this release is to provide compatibility for a significant security fix introduced in Tomcat 7.0.51 for the Apache Commons FileUpload. We recommend to all TomEE 1.6.0 users that are affected by this issue to upgrade TomEE to this latest version at the earliest opportunity.
Complete details of the issue can be found at the following link:
Important: Denial of Service CVE-2014-0050<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050>
It goes without saying that everyone has heard of the Heartbleed issue and we have quickly replaced the included Apache Tomcat Native library with version 1.1.30 for this release, should anyone be using it. Note, this is not the default for TomEE and it does not resolve the issue, for that you will still need to update your OpenSSL - It merely enables the use of a more recent OpenSSL version. You can find more information here:
http://tomcat.apache.org/native-doc/ - You may need to refresh the page if you have been checking the site as it was only recently updated.
We would like to thank everyone in the community involved in the reporting, documentation and final resolution of this issue. A very special thank you goes out to Romain Manni-Bucau and Jonathan Gallimore for their tireless efforts in enabling us to provide this release so quickly.
The Apache TomEE Release 220.127.116.11 files can be found here:
A complete Changelog can be viewed here:
To see the full Changelog of Apache Tomcat since version 7.0.51 follow this link:
All edits are reviewed before going live, so feel free to do much more than fix typos or links. If you see a page that could benefit from an entire rewrite, we'd be thrilled to review it. Don't be surprised if we like it so much we ask you for help with other pages :)NOTICE: unless indicated otherwise on the pages in question, all editable content available from apache.org is presumed to be licensed under the Apache License (AL) version 2.0 and hence all submissions to apache.org treated as formal Contributions under the license terms.