tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "CHENG Jianhua" <>
Subject Confusion about tomcat security bulletin
Date Wed, 01 Aug 2007 08:25:35 GMT
Dear All,
Our company have an application use tomcat 5.0.27 and can't upgrade the
I'm very concern about the security issue relate to this version.
Now I have some confusion about tomcat security bulletin
<>  .
For example:
Fixed in Apache Tomcat 5.5.23, 5.0.HEAD 	

	important: Information disclosure CVE-2005-2090

	Requests with multiple content-length headers should be rejected
as invalid. When multiple components (firewalls, caches, proxies and
Tomcat) process a sequence of requests where one or more requests
contain multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length leader to use an attacker can poision a web-cache,
perform an XSS attack and obtain senstive information from requests
other then their own. Tomcat now returns 400 for requests with multiple
content-length headers. 

	Affects: 5.0.0-5.0.30, 5.5.0-5.5.22

This issue does affect 5.0.27, but "Fixed in Apache Tomcat 5.5.23,
5.0.HEAD ".  Does "5.0.HEAD" include 5.0.27 itself?
 If so does it mean when I get new release 5.0.27 from tomcat website
then the issue will be fixed? And if new issue has been report such as
"moderate: Cross-site scripting CVE-2007-1355
<>  " , it
also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
5.0.27 from tomcat website agagin to fixed this issue?
Look forward your answer and Thans a lot!
Best regards,
Cheng Jianhua

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message