-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher,
On 2/7/12 3:01 PM, Christopher Restorff wrote: > I have a question regarding CVE-2005-4836: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4836 Wow. Blast from the past. > The security bulletin, http://tomcat.apache.org/security-4.html, > mentions that it will not be fixed in 4.x. However, there is no > indication as to whether it affects 5.x or beyond. Sure there is: look at the section on the page above titled "Vulnerable software and versions". It clearly says that certain versions of Tomcat 5.0.x and 5.0.x are affected. > Is this issue persistent in the 5, 6, and 7 versions? If not, > which versions are not affected. If you carefully read the security report for Tomcat 4, you'll see that the bug exists in a deprecated connector. If you are using the standard Coyote connector, then you are safe. For completeness, these are the connectors that are vulnerable to this issue: org.apache.coyote.tomcat4.CoyoteConnector org.apache.catalina.connector.http.HttpConnector Neither of these classes are included in the current 5.5 line (5.5.35), nor are they included in the current 6.0 line (6.0.35), nor are they included in the current 7.0 line (7.0.25). If you are using a currently-supported version of Tomcat and you are up to date, then you are not vulnerable to this ancient vulnerability. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8xiEwACgkQ9CaO5/Lv0PDf0wCgqqpipQWaqzK6WiFzM6VYxphD MFwAoI/ehmi+V/K9XUSJSReMxiFGjuTQ =5uIJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org