Hi, Mark. > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected I checked Tomcat 5.0.x source code and I've found that org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included. Does this mean Tomcat 5.0.x is not affected by this vulnerability?
Advice, please. Kazu Nambo From: ma...@apache.org Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability Date: Wed, 25 Feb 2009 23:17:37 +0000 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2008-4308: Tomcat information disclosure vulnerability > > Severity: Low > > Vendor: > The Apache Software Foundation > > Versions Affected: > Tomcat 4.1.32 to 4.1.34 > Tomcat 5.5.10 to 5.5.20 > Tomcat 6.0.x is not affected > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > > Note: Although this vulnerability affects relatively old versions of > Apache Tomcat, it was only discovered and reported to the Apache Tomcat > Security team in October 2008. Publication of this issue was then > postponed until now at the request of the reporter. > > Description: > Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may > result in the disclosure of POSTed content from a previous request. For > a vulnerability to exist the content read from the input stream must be > disclosed, eg via writing it to the response and committing the > response, before the ArrayIndexOutOfBoundsException occurs which will > halt processing of the request. > > Mitigation: > Upgrade to: > 4.1.35 or later > 5.5.21 or later > 6.0.0 or later > > Example: > See original bug report for example of how to create the error condition. > > Credit: > This issue was discovered by Fujitsu and reported to the Tomcat Security > Team via JPCERT. > > References: > http://tomcat.apache.org/security.html > > Mark Thomas > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM > U3IdbfYNVtRIzCW5XTvhv2E= > =rJGg > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org