Tadelkar, Gauravsagar (Gaurav) wrote: > Thanks for the reply, Mark. > > If possible, can you please point to any references/docs which would > help me convince others about the directory traversal vulnerability not > impacting a standalone tomcat? Even an explanation would help.
I would have thought the phrase "When Tomcat is used behind a proxy..." was pretty self explanatory. Mark > I personally do agree that upgrading the tomcat is surely the thing to > do rather than looking for alternatives, but this is something beyond my > powers in this case :-) > > Thanks once again. > > Gaurav > > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Wednesday, September 09, 2009 1:49 PM > To: Tomcat Users List > Subject: Re: Does CVE-2007-0450 (Directory Traversal) affect standalone > Tomcat > > Tadelkar, Gauravsagar (Gaurav) wrote: >> I have a tomcat at version 5.5.15 in a standalone mode and due to some > >> compulsions cannot upgrade it. Does the directory traversal >> vulnerability affect tomcat in a standalone mode (the 5.5.15 ver does >> not have a fix to this vulnerability)? > > No it doesn't. However, there are plenty of other vulnerabilities (eg > CVE-2008-5515) that do. > >> Alternately, is there a way I can secure/work around this >> vulnerability without upgrading? > > You'd have to look at each vulnerability on a case by case basis. > Upgrading to 5.5.28 is likely to be less painful than any of the > alternatives. > > Mark > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
