nambo.k...@oss.ntt.co.jp wrote: > Hi, Mark. > >> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > I checked Tomcat 5.0.x source code and I've found that > org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included. > Does this mean Tomcat 5.0.x is not affected by this vulnerability?
I would assume so but haven't confirmed this as 5.0.x is unsupported. Mark > > Advice, please. > Kazu Nambo > > > From: ma...@apache.org > Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability > Date: Wed, 25 Feb 2009 23:17:37 +0000 > > CVE-2008-4308: Tomcat information disclosure vulnerability > > Severity: Low > > Vendor: > The Apache Software Foundation > > Versions Affected: > Tomcat 4.1.32 to 4.1.34 > Tomcat 5.5.10 to 5.5.20 > Tomcat 6.0.x is not affected > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > > Note: Although this vulnerability affects relatively old versions of > Apache Tomcat, it was only discovered and reported to the Apache Tomcat > Security team in October 2008. Publication of this issue was then > postponed until now at the request of the reporter. > > Description: > Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may > result in the disclosure of POSTed content from a previous request. For > a vulnerability to exist the content read from the input stream must be > disclosed, eg via writing it to the response and committing the > response, before the ArrayIndexOutOfBoundsException occurs which will > halt processing of the request. > > Mitigation: > Upgrade to: > 4.1.35 or later > 5.5.21 or later > 6.0.0 or later > > Example: > See original bug report for example of how to create the error condition. > > Credit: > This issue was discovered by Fujitsu and reported to the Tomcat Security > Team via JPCERT. > > References: > http://tomcat.apache.org/security.html > > Mark Thomas >> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
