-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 6/25/15 8:32 AM, André Warnier wrote: > Lynch, Charles [USA] wrote: >> You are saying a malicious actor would need to be on the server >> itself to load an application? >> > > Basically yes, or be allowed to load and deploy applications via > the Manager application (which is either not installed, or anyway > secured by default). Correct: this CVE indicates that Tomcat is vulnerable to a malicious web application, not to a remote user. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVjA4hAAoJEBzwKT+lPKRYyAMP/2IxiSl7O29dCh7kxmTxlGCc rPBxz+gOFhjunR9DgZsxX+KKL1NeTl/L08lZ4qAXj4+lqZJ49Mmmr55A+QSeIJYa L/fGOKC7W5kFsqxLJ+wXWLMEUsA7eLgWDPxysrqQGDkyw6z9C08s7qoIDtakp53e jpeAFPElemuylrtAS4tzzlpuYPUX+OmaMO5yT9KIFoQJFuiEn3y/sDR2FjX8BEdr k2SwtJ97Zs/Tq889QuLxzHrSZCZMwpeFu3NYYJjCZWAyc6hvX5PKBrTfdKIIe4Ox l7VNJun14aZ5soIob7XreIJKm9RJR5GhHvzY6g+lGXbT/6pWEBZAf3uRxsZaF186 K1Ybtx4BMVZEZB9ZtpY01pfKUaTW3CrmunUWcZ1QuW8OgXfewzdDBmdlEf+VmwLW JdwXQfHike+TT4PL+VKcOKQ9tjwkhylQ/OH0hztOVFxDdhjjDZ3dsWkbClrTVw/k ajhzyrimEbweAFAvmByb2Q08Xlp7AR7hiAruRFAKUmi5/zaCjVRB44Gke4CxjD5g tx0NANroy3fpqGxAJedJ9tWHq7GyuudHJtrqFtufB6h/JNAt1kdFC+ZkPf7TDy/b VgsXAj/7wYCRpcG+56whKE+VZSplBzTwTMwHfuAtlhTqGKHSw46I8wgWFlcoS3QB Ho0Eg/eDBqW9R6dD8AN5 =vEEP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org