-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks,
Any comments on the announcement below before I sent it to the usual suspects? Mark CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2 Severity: Important Vendor: Multiple (was The Apache Software Foundation) Versions Affected: Various Description (new information): This vulnerability was originally reported to the Apache Software Foundation as a Tomcat vulnerability. Investigations quickly identified that the root cause was an issue with the UTF-8 charset implementation within the JVM. The issue existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and Apache. It was decided to continue to report this as a Tomcat vulnerability until such time as the JVM vendors had released fixed versions. Unfortunately, the release of fixed JVMs and associated vulnerability disclosure has not been co-ordinated. There has been some confusion within the user community as to the nature and root cause of CVE-2008-2938. Therefore, the Apache Tomcat Security Team is issuing this update to clarify the situation. Mitigation: Contact your JVM vendor for further information. Tomcat users may upgrade as follows to a Tomcat version that contains a workaround: 6.0.x users should upgrade to 6.0.18 5.5.x users should upgrade to 5.5.27 4.1.x users should upgrade to 4.1.39 Credit: This additional information was discovered by the Apache security team. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklKedwACgkQb7IeiTPGAkP0jgCeIji2p0Q/3pljd1RSIiOp8dY3 61oAnj4RZJZIckM00LSd6s61DyeJEtnV =ON57 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
