Hello, the recent security announcement for Apache Tomcat JK (CVE-2016-6808) mentions that only IIS/ISAPI specific code is vulnerable. This issue was apparently fixed in [1]. The vulnerable code is in the map_uri_to_worker_ext function which is used by the IIS, Apache 1.3 and Apache 2.0 implementations.
Could someone clarify why the official security announcement only mentions IIS and not all three servers? Are users who use Apache Tomcat JK with Apache 2.x affected by CVE-2016-6808? Regards, Markus [1] https://svn.apache.org/viewvc?view=revision&revision=1762057
signature.asc
Description: OpenPGP digital signature