tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Durga Srinivasu Karuturi <>
Subject Reg Sendfile Feature
Date Thu, 20 Apr 2017 16:14:03 GMT

We are trying to analyze two of the below CVEs related to tomcat sendfile

CVE-2017-5647 (Production tomcat 8.0.26)
CVE-2017-5651(Current tomcat 8.5.12)

We are enabling compression with NIO connector.

As per docs, connector level by default sendfile is enabled and sendfile
takes precedence over compression.

We are not setting any request attribute ""
to enable this support also.

With this can we assume sendfile will not be used and these two CVEs are
not application for us.

Or Do we need to disable connector level to completed turnoff sendfile?

Please clarify.

Durga Srinivasu

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message