On 16/04/2025 18:20, Nguyen Duong wrote:
Hi Tomcat team
I am really sorry to bother you regarding this fix for Tomcat 9.0.98 revolving
around the following CVEs,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56337
(★) My question is if we install our Tomcat 9.0.97 (or lower version) on
Windows OS (Case Insensitive), and the default value of DefaultServlet Write
Enabled is FALSE (Since readonly parameter is not touched)
Then I should not be concerned about the CVE since its first and foremost
important condition is below right?
Correct.
If the default servlet is write enabled (readonly initialisation parameter set
to the non-default value of false) for a case insensitive file system
Meaning with the env described in (★) the CVEs are not a concern, and I do NOT
have to even set sun.io.useCanonCaches to false on Tomcat9w.exe right?
Correct.
I am trying to avoid upgrade or restarting my Tomcat.
Based on the information you have provided, that should not be necessary.
Mark
Best regards,
Nguyen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
