-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 7/13/2011 2:28 PM, Mark Thomas wrote:
> No, since all that code runs in Tomcat's security context which has
> read everything permissions (by default) anyway. Logically, if a
> system admin doesn't want Tomcat to read those files, they wouldn
On 13/07/2011 17:14, Christopher Schultz wrote:
> All,
>
> Great catch to all who were involved in discovery and mitigation of this
> vulnerability.
Konstantin found the problems - he deserves most of the credit.
> Since the APR flavor of this vulnerability uses native code to crash the
> JVM an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
Great catch to all who were involved in discovery and mitigation of this
vulnerability.
Since the APR flavor of this vulnerability uses native code to crash the
JVM and/or read files without asking the SecurityManager for permission,
does that m
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-2526: Apache Tomcat Information disclosure and availability
vulnerabilities
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 7.0.0 to 7.0.18
Tomcat 6.0.0 to 6.0.32
Tomcat 5.5.0 to 5.0.33
Previous
