tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat issue (Solaris 10)
Date Thu, 08 Sep 2011 21:17:22 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amit,

Please keep conversations on-list to benefit others.

On 9/8/2011 3:57 PM, Anand, Amit (Contractor) wrote:
> Thank you very much for all your help! Like I said, not very good 
> with Tomcat. So this patch should fix this CVE-2011-3109 (Bug
> 51698).

Yes.

> The thing is, I don’t even know how to implement it....

Tomcat doesn't provide binary patches, so you have to do this at the
source level. You can download the source for Tomcat 6.0.33, then apply
the patch to the source (2 Java files were modified... you could do it
by hand if you don't know how to use "patch"), then re-build. You only
really need to re-compile the 2 files that were modified.

You could also wait for 6.0.34.

If you are really anxious, the easiest thing to do is to add a shared
"secret" to both your proxy and Tomcat: this will essentially eliminate
this particular threat. Look for "request.secret" on this page:

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5pMOIACgkQ9CaO5/Lv0PAyUACdHa+08ZPSqmudyv4gwkwIhcD+
nXwAnRJUn1nVEd4iANnnkFXwMFA6CcPq
=Uton
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message