Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 65924 invoked from network); 8 Feb 2008 22:25:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Feb 2008 22:25:23 -0000 Received: (qmail 31213 invoked by uid 500); 8 Feb 2008 22:25:00 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 31163 invoked by uid 500); 8 Feb 2008 22:25:00 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 31142 invoked by uid 99); 8 Feb 2008 22:25:00 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Feb 2008 14:25:00 -0800 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [64.97.136.180] (HELO n082.sc1.he.tucows.com) (64.97.136.180) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Feb 2008 22:24:28 +0000 Received: from sc1-out05.emaildefenseservice.com (64.97.139.2) by n082.sc1.he.tucows.com (7.2.069.1) id 4769FAD40090E519; Fri, 8 Feb 2008 22:24:34 +0000 X-SpamScore: 2 X-Spamcatcher-Summary: 2,0,0,bbe5a6663ba45d4a,c471eeda4c13dfb6,markt@apache.org,-,RULES_HIT:355:379:854:945:967:973:979:980:982:988:989:1042:1187:1260:1261:1277:1311:1313:1314:1345:1361:1362:1363:1364:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1766:1792:2194:2199:2393:2525:2559:2565:2570:2682:2685:2693:2703:2714:2828:2857:2859:2892:2894:2933:2937:2939:2942:2945:2947:2951:2954:3022:3352:3636:3865:3866:3867:3869:3871:3872:3874:3934:3936:3938:3941:3944:4077:4080:4321: 4383:5007:6117:6119:7652:7679,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none X-Spamcatcher-Explanation: (30%) BODY: contains text similar to "rx in domain";(-70%) BODY: contains PGP encrypted key; Received: from [192.168.0.100] (unknown [91.109.185.154]) (Authenticated sender: med.thomas) by sc1-out05.emaildefenseservice.com (Postfix) with ESMTP; Fri, 8 Feb 2008 22:24:33 +0000 (UTC) Message-ID: <47ACD699.5050306@apache.org> Date: Fri, 08 Feb 2008 22:24:25 +0000 From: Mark Thomas User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Tomcat Users List , Tomcat Developers List , bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk CC: Apache Tomcat private security list Subject: CVE-2008-0002: Tomcat information disclosure vulnerability X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-0002: Tomcat information disclosure vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: Tomcat 6.0.5 to 6.0.15 Description: If an exception occurs during the processing of parameters (eg if the client disconnects) then it is possible that the parameters submitted for that request will be incorrectly processed as part of a following request. Mitigation: 6.0.x users should upgrade to 6.0.16 or later. Example: See description. Credit: This issue was discovered by Chitrapandian N of AdventNet Inc. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrNaZb7IeiTPGAkMRAgRxAKCjiAu1kTbKcE4mo0azKvtakl3u/wCcD8Vk S5EZi3e+Da7+99Jkxb/jzn8= =rUWc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org