Re: CVE-2023-28709 incomplete fix

Thu, 13 Jul 2023 06:07:03 -0700 



13 Jul 2023 07:07:29 Prodan, Andreea Adriana 
<andreea.pro...@siemens.com.INVALID>:



Whether that is something which happened in the versions < 9.0.74 and 
now in the versions >= 9.0.74 is not the case anymore.


The title of that section is "Fixed in 9.0.74".

The "affects section for the CVE is "Affects: 9.0.71 to 9.0.73"

What isn't clear about the affected versions from that information?

Mark





-----Original Message-----
From: Mark Thomas <m...@homeinbox.net>
Sent: Wednesday, July 12, 2023 10:25 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: CVE-2023-28709 incomplete fix


12 Jul 2023 13:23:32 Prodan, Andreea Adriana
<andreea.pro...@siemens.com.INVALID>:


Hello,

In regard to
CVE-2023-28709<http://htt/
ps%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2023-287
09&data=05%7C01%7Candreea.prodan%40siemens.com%7C0ccf59eec5024b4d386b0
8db830de352%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C6382478679016
50615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NSo4DU569odbzmSt9GBcZ
iqTLdtobMfZ5EUnil4UDBg%3D&reserved=0>
we would like to know if the vulnerability caused by the incomplete
fix, "If non-default HTTP connector settings were used such that the
maxParameterCount could be reached using query string parameters and a
request was submitted that supplied exactly maxParameterCount
parameters in the query string, the limit for uploaded request parts
could be bypassed with the potential for a denial of service to
occur",  was completely fixed in the release 9.0.74 and thus is enough
just to do an upgrade to a version >= 9.0.74 to solve the issue.


Regards,> Andreea Prodan



What part of
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.74
is not sufficiently clear?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org> For 
additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to