Please ignore my previous mail. I got the correct one https://tomcat.apache.org/security-7.html
On Sun, Nov 27, 2016 at 6:41 PM, Utkarsh Dave <utkarshkd...@gmail.com> wrote: > Hi All > > This vulnerability (CVE-2016-6816) is said to be "Affects: 9.0.0.M1 to > 9.0.0.M11" on another url https://tomcat.apache.org/security-9.html. > But in the mail it says Tomcat 7 is also affected. > Does this vulnerability affects version 7.0.72 > > -Regards > Utkarsh > > On Tue, Nov 22, 2016 at 1:42 AM, Mark Thomas <ma...@apache.org> wrote: > >> CVE-2016-6816 Apache Tomcat Information Disclosure >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 9.0.0.M1 to 9.0.0.M11 >> Apache Tomcat 8.5.0 to 8.5.6 >> Apache Tomcat 8.0.0.RC1 to 8.0.38 >> Apache Tomcat 7.0.0 to 7.0.72 >> Apache Tomcat 6.0.0 to 6.0.47 >> Earlier, unsupported versions may also be affected. >> >> Description >> The code that parsed the HTTP request line permitted invalid characters. >> This could be exploited, in conjunction with a proxy that also permitted >> the invalid characters but with a different interpretation, to inject >> data into the HTTP response. By manipulating the HTTP response the >> attacker could poison a web-cache, perform an XSS attack and/or obtain >> sensitive information from requests other then their own. >> >> Mitigation >> Users of affected versions should apply one of the following mitigations >> - Upgrade to Apache Tomcat 9.0.0.M13 or later >> (Apache Tomcat 9.0.0.M12 has the fix but was not released) >> - Upgrade to Apache Tomcat 8.5.8 or later >> (Apache Tomcat 8.5.7 has the fix but was not released) >> - Upgrade to Apache Tomcat 8.0.39 or later >> - Upgrade to Apache Tomcat 7.0.73 or later >> - Upgrade to Apache Tomcat 6.0.48 or later >> >> Credit: >> This issue was discovered by Regis Leroy from Makina Corpus. >> >> References: >> [1] http://tomcat.apache.org/security-9.html >> [2] http://tomcat.apache.org/security-8.html >> [3] http://tomcat.apache.org/security-7.html >> [4] http://tomcat.apache.org/security-6.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
