On 10/02/2011 23:03, Leon Rosenberg wrote: > Hi, > > short question, I read in the http://tomcat.apache.org/security-6.html > that a possible DoS attack vulnerability has been fixed in Request > class. > Does that mean that CVE-2010-4476 is > a) not an issue with 6.0.32++ True. Also not an issue with 7.0.8+ and 5.5.33+
> b) not an issue unless the app uses Double.parseDouble False. As per the announcement sent to all the usual places: <quote> Tomcat is affected when accessing a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() or javax.servlet.ServletRequest.getLocales(). </quote> > c) probably not in issue in tomcat, at least until someone finds out it is. False. See above. I would add that Oracle have now released a patch for 1.6.0_23. If running on a patched JVM, CVE-2010-4476 is not an issue for *any* Tomcat version. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
