Hi Mark, Do you understand exactly what vulnerability are they talking about? For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. What do you mean exactly with "app managing its own authentication"? Sorry if it is a dumb question.
I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Thanks a lot for your response! > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Sunday, October 10, 2010 02:46 PM > To: Tomcat Users List > Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? > > On 10/10/2010 20:32, Brian wrote: > > I'm not using Jrun, but I guess the vulnerability applies also to > > Tomcat > > 6.0.29 so they treated me as if I was using Jrun with that vulnerability. > > That guess has no basis in fact. > > > Does anybody know what should I do to solve this now? > > There is nothing to fix unless you are running an app that is vulnerable (possible > if the app manages its own authentication). If you are, fix your app. > > > I guess they are talking about this issue (please read issue # 2): > > http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i > > n-Tomcat-7-The-New-and-the-Improved.htm > > Did you look at the Tomcat 6.0.x change log? Go read the entries for 6.0.21. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
