www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Date Wed, 02 Mar 2011 16:49:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As reported on the users list [1], both Tomcat 7.0.8 and the latest
Tomcat 7 code from svn appear to ignore @ServletSecurity annotations.
Assuming this issue is confirmed, it may lead to authentication bypass
and information disclosure.

The exact details are still being investigated but this e-mail is being
provided to give users early warning of this public issue.

If code changes are required to address this, they will be included in
the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is
expected to start once the investigation of this issue is complete.

Mark
on behalf of the Apache Tomcat security team


[1] http://markmail.org/message/yzmyn44f5aetmm2r
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNbnT/AAoJEBDAHFovYFnnfuMQAKwsYR44UklP4LH1n4m+pBby
OUDiW0nbxCDDyIbk7Q/K0yzd34YAu/1k4fHTnAiFJ3FPkpSMSmKDxsBvY8lgHkOx
gWWPx4RhJ+Iv2jqltyxITZFTpI6BIpU5Kl0oPH6q5RkO4GOw94HryYoLynID0u47
sfCgYqN6P4bCmXTofR+eRNTD7OGreNTmSVy96RyYOEV7vLs9Kffcj/QKyQFM0wj3
tlFSZ+YW+kQcolX28wNnWcWLlRyhsb6mCdcyYrYwjvnH0Y/PpNcdkdfqxQnH2X0a
R6YFzW+flNURWmTxyZZKqB6vEjrckZ4q+AjodienOEmef/iSX5nBkIrFYEffMSeP
SNAdfrtXJ3PSDCC1g15I21uU2hrYorPh22f8tLzK1MIDriplt0Fx1JSg4rBqUJnz
UPVambUySxZ3xpyRWY8Sr9DlY4jfKsZT1RJRunmBfLdJBaIORY45fyHyNxXnMp0S
p8mML0/aVDXxucpo12/DVtT7yLLVGUw55IA479qfkB8216Xog1DxeLA64MdFKTQo
vrtJfOWg8UqguVaBij4PYohE8XM52mm4Ogy2g8VbnEot8JgKp9p+RQo8pZTzVbAo
8A8SbVKL3yMg9nIL/iOzBqpkCHJn5EL8bALh2en844gZ88fG9GCWxD7navY/Vf7b
M9/R3+IwpRrosZWFHng1
=/RPi
-----END PGP SIGNATURE-----

--------------------------------------------------------------------- 
To unsubscribe, e-mail: announce-unsubscribe@apache.org 
For additional commands, e-mail: announce-help@apache.org 



Mime
View raw message