12 Jul 2023 13:23:32 Prodan, Andreea Adriana
<andreea.pro...@siemens.com.INVALID>:
Hello,
In regard to
CVE-2023-28709<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28709>
we would like to know if the vulnerability caused by the incomplete
fix, "If non-default HTTP connector settings were used such that the
maxParameterCount could be reached using query string parameters and a
request was submitted that supplied exactly maxParameterCount
parameters in the query string, the limit for uploaded request parts
could be bypassed with the potential for a denial of service to
occur", was completely fixed in the release 9.0.74 and thus is enough
just to do an upgrade to a version >= 9.0.74 to solve the issue.
Regards,> Andreea Prodan
What part of
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74
is not sufficiently clear?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
