tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael McCutcheon <>
Subject Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Date Thu, 03 Mar 2011 05:22:45 GMT
On 3/2/2011 8:49 AM, Mark Thomas wrote:
> As reported on the users list [1], both Tomcat 7.0.8 and the latest
> Tomcat 7 code from svn appear to ignore @ServletSecurity annotations.
> Assuming this issue is confirmed, it may lead to authentication bypass
> and information disclosure.
> The exact details are still being investigated but this e-mail is being
> provided to give users early warning of this public issue.
> If code changes are required to address this, they will be included in
> the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is
> expected to start once the investigation of this issue is complete.
> Mark
> on behalf of the Apache Tomcat security team

Hello, I was just wondering if there was any update on this issue.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message