Rainer, OK, I see now.
Thank you very much! Best regards, Cheng Jianhua -----Original Message----- From: Rainer Jung [mailto:[EMAIL PROTECTED] Sent: 2007年8月1日 16:35 To: Tomcat Users List Subject: Re: Confusion about tomcat security bulletin 5.0.HEAD is the most actual, non-released version of the 5.0 code branch. So this means, the problem will be fixed in any new 5.0 release. Currently there are no plans do do a new 5.0 release. So if security is a real concern for you, you should upgrade to at least 5.5 (which shouldn't be a big deal) or to 6.0. If you can't upgrade and you must fix the issue, you will need to build from the source (which is a little painful for TC 5.0). Regards, Rainer CHENG Jianhua wrote: > Dear All, > > Our company have an application use tomcat 5.0.27 and can't upgrade > the version. > I'm very concern about the security issue relate to this version. > > Now I have some confusion about tomcat security bulletin > http://tomcat.apache.org/security-5.html > <http://tomcat.apache.org/security-5.html> . > For example: > ---------------------------------------------------------------------- > -- > ------------------------------------------------ > Fixed in Apache Tomcat 5.5.23, 5.0.HEAD > > important: Information disclosure CVE-2005-2090 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090> > > Requests with multiple content-length headers should be rejected as > invalid. When multiple components (firewalls, caches, proxies and > Tomcat) process a sequence of requests where one or more requests > contain multiple content-length headers and several components do not > reject the request and make different decisions as to which > content-length leader to use an attacker can poision a web-cache, > perform an XSS attack and obtain senstive information from requests > other then their own. Tomcat now returns 400 for requests with > multiple content-length headers. > > Affects: 5.0.0-5.0.30, 5.5.0-5.5.22 > > ---------------------------------------------------------------------- > -- > ---------------------------------------------------------------------- > -- > -------------- > This issue does affect 5.0.27, but "Fixed in Apache Tomcat 5.5.23, > 5.0.HEAD ". Does "5.0.HEAD" include 5.0.27 itself? > If so does it mean when I get new release 5.0.27 from tomcat website > then the issue will be fixed? And if new issue has been report such as > "moderate: Cross-site scripting CVE-2007-1355 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355> " , it > also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get > 5.0.27 from tomcat website agagin to fixed this issue? > > > Look forward your answer and Thans a lot! > > Best regards, > Cheng Jianhua --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
