tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 21:37:15 GMT
On 08/09/2011 21:22, Christopher Schultz wrote:
> Mark,
> 
> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>> Should we mention this on the Security page directly for those
>>> who didn't read the announcement on the users' list?
>> 
>> No reason why not. Go for it.
> 
> Also, security-5.html says that Tomcat 5.0.0 - 5.0.33 are affected.
> It should probably be 5.5.0-5.5.30, right?

It should say all 5.5.x versions up to the latest - 5.5.33 - are
affected. 5.0.x is almost certainly affected but since we stopped
supporting that we no longer check if it is vulnerable nor report on it.

I'll fix that in a tick.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message