Jeff- the first patch (for WEB-INF) was supposed to be fixed for 6.0.20 http://svn.apache.org/viewvc?view=rev&revision=734734
after re-implementing your webapps to TC 6.0.20 please let us know if you have a corner case which is able to bypass this patch as this is an important patch feel free to ping me offline thanks, Martin Gainty ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: RE: avoiding ssl vulnerabilities in tomcat Date: Wed, 12 Aug 2009 09:51:30 -0500 From: jeffrey.jan...@polydyne.com To: users@tomcat.apache.org ******************************* NOTICE ********************************* This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. --Forwarded Message Attachment-- Subject: RE: avoiding ssl vulnerabilities in tomcat Date: Wed, 12 Aug 2009 09:51:30 -0500 From: jeffrey.jan...@polydyne.com To: users@tomcat.apache.org Just to clarify some things: This CVE only applies to the default SSL connector functionality. It doesn't apply to the APR/OpenSSL connector. Correct? Jeff -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, August 12, 2009 9:46 AM To: Tomcat Users List Subject: Re: avoiding ssl vulnerabilities in tomcat -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: > The issue is SSL vulnerability. from the responses, i understood that > i need to upgrade to tomcat latest version. As per the team, it is > recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. > my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says "Security" 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _________________________________________________________________ Get free photo software from Windows Live http://www.windowslive.com/online/photos?ocid=PID23393::T:WLMTAGL:ON:WL:en-US:SI_PH_software:082009
