tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tadelkar, Gauravsagar (Gaurav)" <gtadel...@avaya.com>
Subject RE: Does CVE-2007-0450 (Directory Traversal) affect standalone Tomcat
Date Thu, 10 Sep 2009 05:43:52 GMT

 Thanks for the reply, Mark. 

  If possible, can you please point to any references/docs which would
help me convince others about the directory traversal vulnerability not
impacting a standalone tomcat? Even an explanation would help.

 I personally do agree that upgrading the tomcat is surely the thing to
do rather than looking for alternatives, but this is something beyond my
powers in this case :-)

Thanks once again.

Gaurav


-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Wednesday, September 09, 2009 1:49 PM
To: Tomcat Users List
Subject: Re: Does CVE-2007-0450 (Directory Traversal) affect standalone
Tomcat

Tadelkar, Gauravsagar (Gaurav) wrote:
> I have a tomcat at version 5.5.15 in a standalone mode and due to some

> compulsions cannot upgrade it. Does the directory traversal 
> vulnerability affect tomcat in a standalone mode (the 5.5.15 ver does 
> not have a fix to this vulnerability)?

No it doesn't. However, there are plenty of other vulnerabilities (eg
CVE-2008-5515) that do.

> Alternately, is there a way I can secure/work around this 
> vulnerability without upgrading?

You'd have to look at each vulnerability on a case by case basis.
Upgrading to 5.5.28 is likely to be less painful than any of the
alternatives.

Mark





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message