Whether that is something which happened in the versions < 9.0.74 and now in the versions >= 9.0.74 is not the case anymore.
-----Original Message----- From: Mark Thomas <m...@homeinbox.net> Sent: Wednesday, July 12, 2023 10:25 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: CVE-2023-28709 incomplete fix 12 Jul 2023 13:23:32 Prodan, Andreea Adriana <andreea.pro...@siemens.com.INVALID>: > Hello, > > In regard to > CVE-2023-28709<http://htt/ > ps%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2023-287 > 09&data=05%7C01%7Candreea.prodan%40siemens.com%7C0ccf59eec5024b4d386b0 > 8db830de352%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C6382478679016 > 50615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB > TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NSo4DU569odbzmSt9GBcZ > iqTLdtobMfZ5EUnil4UDBg%3D&reserved=0> > we would like to know if the vulnerability caused by the incomplete > fix, "If non-default HTTP connector settings were used such that the > maxParameterCount could be reached using query string parameters and a > request was submitted that supplied exactly maxParameterCount > parameters in the query string, the limit for uploaded request parts > could be bypassed with the potential for a denial of service to > occur", was completely fixed in the release 9.0.74 and thus is enough > just to do an upgrade to a version >= 9.0.74 to solve the issue. > > > Regards,> Andreea Prodan What part of https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74 is not sufficiently clear? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
