tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Durga Srinivasu Karuturi <durgasriniv...@gmail.com>
Subject Reg Sendfile Feature
Date Thu, 20 Apr 2017 16:14:03 GMT
Hi,

We are trying to analyze two of the below CVEs related to tomcat sendfile
feature.

CVE-2017-5647 (Production tomcat 8.0.26)
CVE-2017-5651(Current tomcat 8.5.12)

We are enabling compression with NIO connector.

As per docs, connector level by default sendfile is enabled and sendfile
takes precedence over compression.

We are not setting any request attribute "org.apache.tomcat.sendfile.support"
to enable this support also.

With this can we assume sendfile will not be used and these two CVEs are
not application for us.

Or Do we need to disable connector level to completed turnoff sendfile?

Please clarify.

Thanks,
Durga Srinivasu

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message