Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 83499 invoked from network); 14 Aug 2007 18:53:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Aug 2007 18:53:10 -0000 Received: (qmail 5044 invoked by uid 500); 14 Aug 2007 18:52:53 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 5018 invoked by uid 500); 14 Aug 2007 18:52:53 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 4949 invoked by uid 99); 14 Aug 2007 18:52:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 11:52:53 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [64.34.34.6] (HELO mx-01.sourcelabs.com) (64.34.34.6) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 18:53:02 +0000 X-ASG-Debug-ID: 1187117539-61a8000c0000-PXi1IZ X-Barracuda-URL: http://10.1.23.15:80/cgi-bin/mark.cgi X-Barracuda-Connect: 207-170-200-18.static.twtelecom.net[207.170.200.18] X-Barracuda-Start-Time: 1187117539 X-ASG-Whitelist: Client Received: from [10.65.1.183] (207-170-200-18.static.twtelecom.net [207.170.200.18]) by mx-01.sourcelabs.com (Spam Firewall) with ESMTP id D64FB38666 for ; Tue, 14 Aug 2007 11:52:19 -0700 (PDT) Message-ID: <46C1F9E3.4010800@sourcelabs.com> Date: Tue, 14 Aug 2007 11:52:19 -0700 From: jkew User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: Tomcat Users List X-ASG-Orig-Subj: Re: CVE-2007-3382: Handling of cookies containing a ' character Subject: Re: CVE-2007-3382: Handling of cookies containing a ' character References: <46C12155.5060405@apache.org> <46C1CFB6.10702@christopherschultz.net> <46C1DF56.80003@kippdata.de> In-Reply-To: <46C1DF56.80003@kippdata.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at sourcelabs.com X-Virus-Checked: Checked by ClamAV on apache.org Rainer Jung wrote: > Until now I didn't notice a commited fix for the cookie problem, but > Mark or Filip might comment whether there are plans to include a fix > in 5.5.25. > For CVE 3382, the fix appears to be in 5.5.x HEAD (rev 559280 and rev 557468) and 6.0.x HEAD (rev 557467) -- These checkins were committed around July 19th. These checkins may also apply to CVE-3385 but I'm still researching. http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java?view=log http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/http/Cookies.java?view=log -John --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org