https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
Mark Thomas <ma...@apache.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement --- Comment #2 from Mark Thomas <ma...@apache.org> --- To be crystal clear: There is no Apache Tomcat vulnerability here. To quote from the linked article: <quote> The actual problem here is not within the JDK or Apache Tomcat library, but rather in custom applications that pass user-controllable data to the "InitialContext.lookup()" function, as it still represents a security risk even in fully patched JDK installations. </quote> Moving this to an enhancement request. It is highly unlikely Tomcat will remove/disable existing functionality. Suggestions for mitigation / hardening that can improve security without impacting legitimate uses will be welcomed. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org