-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As reported on the users list [1], both Tomcat 7.0.8 and the latest Tomcat 7 code from svn appear to ignore @ServletSecurity annotations. Assuming this issue is confirmed, it may lead to authentication bypass and information disclosure.
The exact details are still being investigated but this e-mail is being provided to give users early warning of this public issue. If code changes are required to address this, they will be included in the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is expected to start once the investigation of this issue is complete. Mark on behalf of the Apache Tomcat security team [1] http://markmail.org/message/yzmyn44f5aetmm2r -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNbnT/AAoJEBDAHFovYFnnfuMQAKwsYR44UklP4LH1n4m+pBby OUDiW0nbxCDDyIbk7Q/K0yzd34YAu/1k4fHTnAiFJ3FPkpSMSmKDxsBvY8lgHkOx gWWPx4RhJ+Iv2jqltyxITZFTpI6BIpU5Kl0oPH6q5RkO4GOw94HryYoLynID0u47 sfCgYqN6P4bCmXTofR+eRNTD7OGreNTmSVy96RyYOEV7vLs9Kffcj/QKyQFM0wj3 tlFSZ+YW+kQcolX28wNnWcWLlRyhsb6mCdcyYrYwjvnH0Y/PpNcdkdfqxQnH2X0a R6YFzW+flNURWmTxyZZKqB6vEjrckZ4q+AjodienOEmef/iSX5nBkIrFYEffMSeP SNAdfrtXJ3PSDCC1g15I21uU2hrYorPh22f8tLzK1MIDriplt0Fx1JSg4rBqUJnz UPVambUySxZ3xpyRWY8Sr9DlY4jfKsZT1RJRunmBfLdJBaIORY45fyHyNxXnMp0S p8mML0/aVDXxucpo12/DVtT7yLLVGUw55IA479qfkB8216Xog1DxeLA64MdFKTQo vrtJfOWg8UqguVaBij4PYohE8XM52mm4Ogy2g8VbnEot8JgKp9p+RQo8pZTzVbAo 8A8SbVKL3yMg9nIL/iOzBqpkCHJn5EL8bALh2en844gZ88fG9GCWxD7navY/Vf7b M9/R3+IwpRrosZWFHng1 =/RPi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
