tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
Date Sat, 02 Aug 2008 08:00:05 GMT
Mark Thomas wrote:
> What mitigations are you thinking of?
> The description is intended to be sufficient for a user to determine if 
> they match the vulnerability conditions. And this for this notice I 
> believe it meets this criteria.
> In this case there is no way of configuring yourself away from the 
> vulnerability. If you use a RequestDispatcher, you are vulnerable.

My mistake, I understood that if the user was strictly using ISO-8859-1
encoding they were not vulnerable.  But I might have missed a few posts
in the backchannel, as I was away teaching all week.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message