tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
Date Sat, 02 Aug 2008 08:00:05 GMT
Mark Thomas wrote:
> 
> What mitigations are you thinking of?
> 
> The description is intended to be sufficient for a user to determine if 
> they match the vulnerability conditions. And this for this notice I 
> believe it meets this criteria.
> 
> In this case there is no way of configuring yourself away from the 
> vulnerability. If you use a RequestDispatcher, you are vulnerable.

My mistake, I understood that if the user was strictly using ISO-8859-1
encoding they were not vulnerable.  But I might have missed a few posts
in the backchannel, as I was away teaching all week.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message