tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51828] Tomcat vulnerable to CVE-2011-3192 denial of service
Date Thu, 15 Sep 2011 15:52:39 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51828

William A. Rowe Jr. <wrowe@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #2 from William A. Rowe Jr. <wrowe@apache.org> 2011-09-15 15:52:39 UTC ---
According to that page, Tim Funk answers correctly, quoting him...

"Its not a vulnerability. read the Default servlet code. It loads the resource
once. It also reads all the range offsets. Then it iterates through all the
offsets serving the content bases on the original resource. Which is DIFFERENT
as to how apache httpd did it. So it will not trigger an OOM exception."

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message