Mark Thomas wrote: Sorry folks - I should have deleted this header before I sent the message out. > Folks, > > Any comments on the announcement below before I sent it to the usual suspects? > > Mark
The important bit starts here: > CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2 > > Severity: Important > > Vendor: > Multiple (was The Apache Software Foundation) > > Versions Affected: > Various > > Description (new information): > This vulnerability was originally reported to the Apache Software Foundation > as > a Tomcat vulnerability. Investigations quickly identified that the root cause > was an issue with the UTF-8 charset implementation within the JVM. The issue > existed in multiple JVMs including current versions from Sun, HP, IBM, Apple > and > Apache. > > It was decided to continue to report this as a Tomcat vulnerability until such > time as the JVM vendors had released fixed versions. > > Unfortunately, the release of fixed JVMs and associated vulnerability > disclosure > has not been co-ordinated. There has been some confusion within the user > community as to the nature and root cause of CVE-2008-2938. Therefore, the > Apache Tomcat Security Team is issuing this update to clarify the situation. > > Mitigation: > Contact your JVM vendor for further information. > Tomcat users may upgrade as follows to a Tomcat version that contains a > workaround: > 6.0.x users should upgrade to 6.0.18 > 5.5.x users should upgrade to 5.5.27 > 4.1.x users should upgrade to 4.1.39 > > Credit: > This additional information was discovered by the Apache security > team. > > References: > http://tomcat.apache.org/security.html > > Mark Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
