Christopher Schultz wrote: >> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and >> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are >> vulnerable. > > I'm afraid I still don't understand the vulnerability in 5.5's > DataSourceRealm (the one I actually look at in detail): the NPE occurs > (in the unpatched code) regardless of the presence of a valid user(name).
You need to go back to what the code looked like between 5.5.0 and 5.5.5. It was very different back then. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org