-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Amit,
Please keep conversations on-list to benefit others. On 9/8/2011 3:57 PM, Anand, Amit (Contractor) wrote: > Thank you very much for all your help! Like I said, not very good > with Tomcat. So this patch should fix this CVE-2011-3109 (Bug > 51698). Yes. > The thing is, I don’t even know how to implement it.... Tomcat doesn't provide binary patches, so you have to do this at the source level. You can download the source for Tomcat 6.0.33, then apply the patch to the source (2 Java files were modified... you could do it by hand if you don't know how to use "patch"), then re-build. You only really need to re-compile the 2 files that were modified. You could also wait for 6.0.34. If you are really anxious, the easiest thing to do is to add a shared "secret" to both your proxy and Tomcat: this will essentially eliminate this particular threat. Look for "request.secret" on this page: http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5pLpwACgkQ9CaO5/Lv0PBBwwCcDUtGKFzxFFzNidl0i7rjdB3N gBYAn3oH7EAya7w1C/vnI///diS8zgpg =qMI+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
