tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject Re: CVE-2010-4476 - is it fixed or not?
Date Fri, 11 Feb 2011 09:47:21 GMT
On 02/11/2011 10:42 AM, Mark Thomas wrote:
>
>> b) not an issue unless the app uses Double.parseDouble
> False. As per the announcement sent to all the usual places:
> <quote>
> Tomcat is affected when  accessing a form based security constrained
> page or any page that calls javax.servlet.ServletRequest.getLocale() or
> javax.servlet.ServletRequest.getLocales().
> </quote>
>

I'd add that the app needs a workaround as well if directly parsing
the problematic user/wire data (without patched JVM)


Regards
-- 
^TM

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message