tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Koschany <...@debian.org>
Subject CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow
Date Fri, 07 Oct 2016 15:02:03 GMT
Hello,

the recent security announcement for Apache Tomcat JK (CVE-2016-6808)
mentions that only IIS/ISAPI specific code is vulnerable. This issue was
apparently fixed in [1]. The vulnerable code is in the
map_uri_to_worker_ext function which is used by the IIS, Apache 1.3 and
Apache 2.0 implementations.

Could someone clarify why the official security announcement only
mentions IIS and not all three servers? Are users who use Apache Tomcat
JK with Apache 2.x affected by CVE-2016-6808?

Regards,

Markus


[1] https://svn.apache.org/viewvc?view=revision&revision=1762057






Mime
View raw message