tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat issue (Solaris 10)
Date Thu, 08 Sep 2011 21:07:40 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amit,

Please keep conversations on-list to benefit others.

On 9/8/2011 3:57 PM, Anand, Amit (Contractor) wrote:
> Thank you very much for all your help! Like I said, not very good 
> with Tomcat. So this patch should fix this CVE-2011-3109 (Bug 
> 51698).

Yes.

> The thing is, I don’t even know how to implement it....

Tomcat doesn't provide binary patches, so you have to do this at the
source level. You can download the source for Tomcat 6.0.33, then
apply the patch to the source (2 Java files were modified... you could
do it by hand if you don't know how to use "patch"), then re-build.
You only really need to re-compile the 2 files that were modified.

You could also wait for 6.0.34.

If you are really anxious, the easiest thing to do is to add a shared
"secret" to both your proxy and Tomcat: this will essentially
eliminate this particular threat. Look for "request.secret" on this page:

http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5pLpwACgkQ9CaO5/Lv0PBBwwCcDUtGKFzxFFzNidl0i7rjdB3N
gBYAn3oH7EAya7w1C/vnI///diS8zgpg
=qMI+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message