tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian" <bbprefix-m...@yahoo.com>
Subject RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Sun, 10 Oct 2010 19:59:40 GMT
Hi Mark,

Do you understand exactly what vulnerability are they talking about? For
some reason, they have determined that I have it, even though I'm not using
Jrun but they wrongly assume I am.
What do you mean exactly with "app managing its own authentication"? Sorry
if it is a dumb question.

I found this on Google, and now that I read it I realize they are quoting
you!  :-)
http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc
at-7-The-New-and-the-Improved.htm
Is this the same subject?

Thanks a lot for your response!



> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Sunday, October 10, 2010 02:46 PM
> To: Tomcat Users List
> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
> 
> On 10/10/2010 20:32, Brian wrote:
> > I'm not using Jrun, but I guess the vulnerability applies also to
> > Tomcat
> > 6.0.29 so they treated me as if I was using Jrun with that
vulnerability.
> 
> That guess has no basis in fact.
> 
> > Does anybody know what should I do to solve this now?
> 
> There is nothing to fix unless you are running an app that is vulnerable
(possible
> if the app manages its own authentication). If you are, fix your app.
> 
> > I guess they are talking about this issue (please read issue # 2):
> > http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i
> > n-Tomcat-7-The-New-and-the-Improved.htm
> 
> Did you look at the Tomcat 6.0.x change log? Go read the entries for
6.0.21.
> 
> Mark
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message