Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 14435 invoked from network); 10 Oct 2010 19:46:10 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 10 Oct 2010 19:46:10 -0000 Received: (qmail 10605 invoked by uid 500); 10 Oct 2010 19:46:07 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 10331 invoked by uid 500); 10 Oct 2010 19:46:07 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 10322 invoked by uid 99); 10 Oct 2010 19:46:06 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Oct 2010 19:46:06 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Sun, 10 Oct 2010 19:46:04 +0000 Received: (qmail 14399 invoked by uid 99); 10 Oct 2010 19:45:43 -0000 Received: from localhost.apache.org (HELO [192.168.23.9]) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Oct 2010 19:45:43 +0000 Message-ID: <4CB217E3.3020809@apache.org> Date: Sun, 10 Oct 2010 20:45:39 +0100 From: Mark Thomas User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? References: <005a01cb68b1$e0db7550$a2925ff0$@yahoo.com> In-Reply-To: <005a01cb68b1$e0db7550$a2925ff0$@yahoo.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 10/10/2010 20:32, Brian wrote: > I'm not using Jrun, but I guess the vulnerability applies also to Tomcat > 6.0.29 so they treated me as if I was using Jrun with that vulnerability. That guess has no basis in fact. > Does anybody know what should I do to solve this now? There is nothing to fix unless you are running an app that is vulnerable (possible if the app manages its own authentication). If you are, fix your app. > I guess they are talking about this issue (please read issue # 2): > http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm Did you look at the Tomcat 6.0.x change log? Go read the entries for 6.0.21. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org