Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 13965 invoked from network); 3 Mar 2011 05:23:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 3 Mar 2011 05:23:18 -0000 Received: (qmail 57232 invoked by uid 500); 3 Mar 2011 05:23:12 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 57176 invoked by uid 500); 3 Mar 2011 05:23:12 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 57145 invoked by uid 99); 3 Mar 2011 05:23:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2011 05:23:11 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_NEUTRAL,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [98.139.91.80] (HELO nm10.bullet.mail.sp2.yahoo.com) (98.139.91.80) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 03 Mar 2011 05:23:04 +0000 Received: from [98.139.91.61] by nm10.bullet.mail.sp2.yahoo.com with NNFMP; 03 Mar 2011 05:22:44 -0000 Received: from [98.139.91.9] by tm1.bullet.mail.sp2.yahoo.com with NNFMP; 03 Mar 2011 05:22:44 -0000 Received: from [127.0.0.1] by omp1009.mail.sp2.yahoo.com with NNFMP; 03 Mar 2011 05:22:44 -0000 X-Yahoo-Newman-Id: 358235.27293.bm@omp1009.mail.sp2.yahoo.com Received: (qmail 27780 invoked from network); 3 Mar 2011 05:22:44 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.net; s=s1024; t=1299129764; bh=VojqO6Cp0ylhk2KmOBWQJTEQsCr6MN/Tq564fX875F4=; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=lqV3ZLtKtxWLxnPueMuJ5axr6gls+tTP1aafKWoG9mk/Sn7q8cQmBnMevT2Pd8mF+NfX1hRgjgjGbQA08j1gJMERanK73bNh/vNtNBBQyt7RSplPP5wO03sG9PamErtqmrG0ESNOPY6+2J8tOpJxG7irqmn48y3esNbPQ4mhoOU= Received: from [192.168.1.66] (michael.mccutcheon@67.126.85.147 with plain) by smtp125.sbc.mail.sp1.yahoo.com with SMTP; 02 Mar 2011 21:22:43 -0800 PST X-Yahoo-SMTP: m2dl79CswBAK07LdA5MOI76YzqWIxY78APePcYjgAy7qa1A746Ur X-YMail-OSG: 6ODw8bcVM1nidl5VGLNfTK.UgS.j1S3X7X01e4ZUqW2TBG3 gwP7B85k7B9mTEWtXgnqZGWFAu00F96cXAB35i03Z5zSUMV9R1kpVAK_AfGL wtxxjfXdxtBDzcF5cuHZN0u75jSHsbenteoOVTTMVCn1mcvIGkMh_kXPBK27 gJPnQav8yyj_JarFgqsodSUABigV21JZh8JLPdu04IqJC7yjWBJ2AGC2iIaW s X-Yahoo-Newman-Property: ymail-3 Message-ID: <4D6F25A5.8030907@att.net> Date: Wed, 02 Mar 2011 21:22:45 -0800 From: Michael McCutcheon User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.14) Gecko/20110221 Thunderbird/3.1.8 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations References: <4D6E74FF.7050106@apache.org> In-Reply-To: <4D6E74FF.7050106@apache.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 3/2/2011 8:49 AM, Mark Thomas wrote: > As reported on the users list [1], both Tomcat 7.0.8 and the latest > Tomcat 7 code from svn appear to ignore @ServletSecurity annotations. > Assuming this issue is confirmed, it may lead to authentication bypass > and information disclosure. > > The exact details are still being investigated but this e-mail is being > provided to give users early warning of this public issue. > > If code changes are required to address this, they will be included in > the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is > expected to start once the investigation of this issue is complete. > > Mark > on behalf of the Apache Tomcat security team Hello, I was just wondering if there was any update on this issue. -Mike --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org