-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 1/22/12 5:08 PM, ma...@apache.org wrote: > Christopher Schultz <ch...@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> David, >> >> On 1/21/12 3:02 AM, David Jorm wrote: >>> Based on reading the advisory and Tomcat patch code, it seems >>> to me that the issue is simply slow processing when a very >>> large number of parameters is received with a request. >> >> The parameter names must have colliding hash code values in order >> to exercise this particular vulnerability. Otherwise, large >> numbers of request parameters is merely a potential memory >> exhaustion vulnerability (which is a different issue). > > No, no, no. That is completely wrong. CVE-2012-0022 is solely about > the number of parameters and NOTHING TO DO WITH HASH COLLISIONS. Sorry, the last time I looked-up CVE-2012-0022 it said that it was just a placeholder which I assumed was being held in reserve for the hash-collision bug. I see now that the data has been updated and it even includes a note that it's NOT CVE-2011-4858. Sorry for the noise. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8dgCcACgkQ9CaO5/Lv0PB2LQCdGnDpbrD6zsjpeaQY6RdcCmgQ xHoAnRvInr0xIs7srQuXsJOdL+aggSxN =eJc3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
