tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William L. Thomson Jr." <wl...@gentoo.org>
Subject Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]
Date Mon, 22 Oct 2007 19:38:32 GMT

On Sun, 2007-10-21 at 14:03 -0400, William L. Thomson Jr. wrote:
> On Sun, 2007-10-21 at 17:41 +0100, Mark Thomas wrote:
> > William L. Thomson Jr. wrote:
> > > I take it down streams should run with the first patches to work around
> > > this vulnerability till next release. I already applied the one liner,
> > > kinda glad I did not apply the other last night ;) Please advise,
> > > thanks.
> > 
> > You need a version of the second patch for a complete fix. If you want
> > logging - apply my version, if you don't - apply Remy's. Both fix the
> > problem, just in slightly different ways.
> > 
> > We'll have to wait and see which way the voting goes for which patch
> > gets incorporated into the code base.
> 
> That's what I am interested in, and willing to wait a bit for. Don't
> want to appear to be taking sides or adding in my own opinion based on
> which one to apply/go with or not. Prefer to stick with what ever
> direction upstream goes in and/or recommends.
> 

For what it's worth, I am thinking logging might be best. Mostly because
to my understanding one must be authorized in webdav or etc to be able
to exploit the vulnerability. So it's more of an attack from within, and
IMHO it's even more important to log those. It's one thing to be
attacked from the outside world, but being attacked from within can be
worse. Since in theory they are trusted to a point.

Either way I do agree with the other post on being consistent with other
projects.

-- 
William L. Thomson Jr.
Gentoo/Java

Mime
View raw message