Verj.io V5.12.2 released

Check for important Verj.io announcements such as version, service packs and patch releases, event dates, etc

Moderators: Jon, Steve, Ian, civanderputt, Dave

Locked
Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:
Contact Steve

Verj.io V5.12.2 released

#1

Postby Steve » Tue Oct 17, 2023 3:35 pm

Verj.io V5.12.2 is now available and can be downloaded using the links below.

Downloads:
Verj.io Studio Links:
Windows 64 bit: https://downloads.verj.io/verjio/v5.12. ... _win64.exe
Linux 64 bit: https://downloads.verj.io/verjio/v5.12. ... x64.tar.gz
Mac: https://downloads.verj.io/verjio/v5.12. ... _2_mac.dmg

On-premise Server Links
Windows 64 bit: https://downloads.verj.io/verjio/v5.12. ... _win64.exe
Linux 64 bit: https://downloads.verj.io/verjio/v5.12. ... x64.tar.gz


Changes introduced in Version 5.12.2:

This release is a maintenance release and contains memory improvement and various bug fixes.

Security Fixes in V5.12.2
  1. Upgrade to tomcat 9.0.82 that fixes:
    • CVE-2023-45648 - Improper Input Validation vulnerability in Apache Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

    • CVE-2023-44487 - Tomcat's HTTP/2 implementation was vulnerable to the rapid reset attack. The denial of service typically manifested as an OutOfMemoryError.

    • CVE-2023-42795 - When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.

    • CVE-2023-34981 - if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak.

    • CVE-2023-28709 - If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

    • CVE-2023-28708 - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

    • CVE-2023-24998 - Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Release notes and installation instructions:
See the V5.12.2 Readme
0 x
Locked

Return to “Announcements”

Who is online

Users browsing this forum: No registered users and 70 guests