Laura McCord wrote: > I currently have Tomcat 5.0.28 installed and we received a security > vulnerability notice pertaining to a "Apache Tomcat Directory Traversal". > http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0167.html > > We were thinking about upgrading to version 5.5.23 but is it true that > we would have to upgrade our java installation from 1.4 to java 5?
No this is not true. TC5.5.x runs on a 1.4 JDK as long as long also download the JDK 1.4 compatibility package. > Also, if anyone is familiar with this security vulnerability can you > please explain what this means? http://tomcat.apache.org/security-5.html - CVE-2007-0450 Short version: - Tomcat has two contexts, A & B - Tomcat is not accessible from the Internet - httpd is configured to proxy requests only to context A - httpd is accessible from the Internet In this configuration a user may expect that context B is not accessible from the Internet. This is not the case. HTH. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]