Re: Confusion about tomcat security bulletin

Wed, 01 Aug 2007 01:36:46 -0700

5.0.HEAD is the most actual, non-released version of the 5.0 code branch. So this means, the problem will be fixed in any new 5.0 release.
Currently there are no plans do do a new 5.0 release. So if security is a real concern for you, you should upgrade to at least 5.5 (which shouldn't be a big deal) or to 6.0. 


If you can't upgrade and you must fix the issue, you will need to build 
from the source (which is a little painful for TC 5.0).


Regards,

Rainer

CHENG Jianhua wrote:

Dear All,

 
Our company have an application use tomcat 5.0.27 and can't upgrade the

version.
I'm very concern about the security issue relate to this version.

 
Now I have some confusion about tomcat security bulletin

http://tomcat.apache.org/security-5.html
<http://tomcat.apache.org/security-5.html>  .
For example:
------------------------------------------------------------------------
------------------------------------------------
Fixed in Apache Tomcat 5.5.23, 5.0.HEAD         

        important: Information disclosure CVE-2005-2090

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090>  


        Requests with multiple content-length headers should be rejected
as invalid. When multiple components (firewalls, caches, proxies and
Tomcat) process a sequence of requests where one or more requests
contain multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length leader to use an attacker can poision a web-cache,
perform an XSS attack and obtain senstive information from requests
other then their own. Tomcat now returns 400 for requests with multiple

content-length headers. 


        Affects: 5.0.0-5.0.30, 5.5.0-5.5.22

------------------------------------------------------------------------
------------------------------------------------------------------------
--------------
This issue does affect 5.0.27, but "Fixed in Apache Tomcat 5.5.23,
5.0.HEAD ".  Does "5.0.HEAD" include 5.0.27 itself?
 If so does it mean when I get new release 5.0.27 from tomcat website
then the issue will be fixed? And if new issue has been report such as
"moderate: Cross-site scripting CVE-2007-1355
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355>  " , it
also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
5.0.27 from tomcat website agagin to fixed this issue?

 
 
Look forward your answer and Thans a lot!
 
Best regards,

Cheng Jianhua


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to