-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leon,
On 2/10/2011 6:03 PM, Leon Rosenberg wrote: > short question, I read in the http://tomcat.apache.org/security-6.html > that a possible DoS attack vulnerability has been fixed in Request > class. > Does that mean that CVE-2010-4476 is > a) not an issue with 6.0.32++ > b) not an issue unless the app uses Double.parseDouble > c) probably not in issue in tomcat, at least until someone finds out it is. Tomcat uses Double.parseDouble in a few places that have not been addressed, but they are used for parsing values supplied by the administrator or webapp developer (like parsing the <web-app> version string, for instance). This appears to be the only use of Double.parseDouble in Tomcat that could really be considered vulnerable. If you want to protect yourself entirely, consider upgrading or using the "fpupdate" program which patches your installation's rt.jar file. I have done this on all my servers. If you want to protect yourself on all Tomcat versions but still be vulnerable to application use of Double.parseDouble, see my followups to Mark's announcement this week: I show you how to protect Tomcat using two different techniques with Apache httpd... these could easily be adapted to use UrlRewrite if you aren't using a web server in front of Tomcat. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1VY4IACgkQ9CaO5/Lv0PDGXACfcstSTQ/4uZCaQ4EL6+4S0Rl+ V8YAoIkZqeq7rdXbwSi7bQs85ndmO0r+ =6h/3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
