Re: CVE-2012-0022 details

2012-01-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 1/22/12 5:08 PM, ma...@apache.org wrote: > Christopher Schultz wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> David, >> >> On 1/21/12 3:02 AM, David Jorm wrote: >>> Based on reading the advisory and Tomcat patch code, it

Re: CVE-2012-0022 details

2012-01-22 Thread markt
Christopher Schultz wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >David, > >On 1/21/12 3:02 AM, David Jorm wrote: >> Based on reading the advisory and Tomcat patch code, it seems to me >> that the issue is simply slow processing when a very large number >> of parameters is received wi

Re: CVE-2012-0022 details

2012-01-22 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 1/21/12 3:02 AM, David Jorm wrote: > Based on reading the advisory and Tomcat patch code, it seems to me > that the issue is simply slow processing when a very large number > of parameters is received with a request. The parameter names mus

Re: CVE-2012-0022 details

2012-01-21 Thread Konstantin Kolinko
2012/1/21 David Jorm : > Hi All > > I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to > confirm some details if anyone can help. Based on reading the advisory and > Tomcat patch code, it seems to me that the issue is simply slow processing > when a very large number o

Re: CVE-2012-0022 details

2012-01-21 Thread Mark Thomas
On 21/01/2012 12:02, David Jorm wrote: > The point of my question was to check whether my understanding of the > CVE-2012-0022 issue is complete, i.e. whether the issue is just slow > processing leading to a DoS when a very large number of parameters is > received with a request. Correct. CVE-201

Re: CVE-2012-0022 details

2012-01-21 Thread David Jorm
On 01/21/2012 07:16 PM, Remy Maucherat wrote: On Sat, Jan 21, 2012 at 9:02 AM, David Jorm wrote: Hi All I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to confirm some details if anyone can help. Based on reading the advisory and Tomcat patch code, it seems to me t

Re: CVE-2012-0022 details

2012-01-21 Thread Remy Maucherat
On Sat, Jan 21, 2012 at 9:02 AM, David Jorm wrote: > Hi All > > I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to > confirm some details if anyone can help. Based on reading the advisory and > Tomcat patch code, it seems to me that the issue is simply slow processing

CVE-2012-0022 details

2012-01-21 Thread David Jorm
Hi All I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to confirm some details if anyone can help. Based on reading the advisory and Tomcat patch code, it seems to me that the issue is simply slow processing when a very large number of parameters is received with a re