tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: CVE-2010-4476 - is it fixed or not?
Date Fri, 11 Feb 2011 09:42:07 GMT
On 10/02/2011 23:03, Leon Rosenberg wrote:
> Hi,
> 
> short question, I read in the http://tomcat.apache.org/security-6.html
> that a possible DoS attack vulnerability has been fixed in Request
> class.
> Does that mean that CVE-2010-4476 is
> a) not an issue with 6.0.32++
True. Also not an issue with 7.0.8+ and 5.5.33+

> b) not an issue unless the app uses Double.parseDouble
False. As per the announcement sent to all the usual places:
<quote>
Tomcat is affected when  accessing a form based security constrained
page or any page that calls javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales().
</quote>

> c) probably not in issue in tomcat, at least until someone finds out it is.
False. See above.

I would add that Oracle have now released a patch for 1.6.0_23. If
running on a patched JVM, CVE-2010-4476 is not an issue for *any* Tomcat
version.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message