tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Question regarding mappings for CVE-2005-4836
Date Tue, 07 Feb 2012 20:23:40 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher,

On 2/7/12 3:01 PM, Christopher Restorff wrote:
> I have a question regarding CVE-2005-4836: 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4836

Wow. Blast from the past.

> The security bulletin, http://tomcat.apache.org/security-4.html, 
> mentions that it will not be fixed in 4.x. However, there is no 
> indication as to whether it affects 5.x or beyond.

Sure there is: look at the section on the page above titled
"Vulnerable software and versions". It clearly says that certain
versions of Tomcat 5.0.x and 5.0.x are affected.

> Is this issue persistent in the 5, 6, and 7 versions? If not,
> which versions are not affected.

If you carefully read the security report for Tomcat 4, you'll see
that the bug exists in a deprecated connector. If you are using the
standard Coyote connector, then you are safe.

For completeness, these are the connectors that are vulnerable to this
issue:
org.apache.coyote.tomcat4.CoyoteConnector
org.apache.catalina.connector.http.HttpConnector

Neither of these classes are included in the current 5.5 line
(5.5.35), nor are they included in the current 6.0 line (6.0.35), nor
are they included in the current 7.0 line (7.0.25).

If you are using a currently-supported version of Tomcat and you are
up to date, then you are not vulnerable to this ancient vulnerability.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8xiEwACgkQ9CaO5/Lv0PDf0wCgqqpipQWaqzK6WiFzM6VYxphD
MFwAoI/ehmi+V/K9XUSJSReMxiFGjuTQ
=5uIJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message