You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Pichen, Douglas" <Do...@molex.com> on 2006/05/25 18:05:44 UTC
Apache Cookie Buffer Overflow
Hello,
We just installed a JBOSS server in our production Environment...
Apparently JBOSS came bundled with Apache Tomcat/5.5.9
Our current environment is:
Windows 2003 SP1
JBOSS 4.0.2
JVM Version: 1.4.2_11-b06
Apache Tomcat/5.5.9
Our security scanner has picked up 2 security vulnerabilities on this server.
"Apache Cookie Buffer Overflow"
"HTTP Buffer Overflows"
Our security scanner indicated that we need to upgrade from Apache v1.1.1 to v1.3.2... but since we are already on Apache Tomcat/5.5.9... I don't think that is correct.
The scanner also indicated that we may be able to change a field in Apache called LimitRequestFieldsize... Thus far I have been unable to find this LimitRequestFieldsize field in any of our config files...
Is the LimitRequestFieldsize in Apache V.1.1.1 the same as maxHttpHeaderSize in Apache Tomcat/5.5.9?
Any suggestions would be appreciated.
Thank you
--Doug
CONFIDENTIALITY NOTICE: This message (including any attachments) may contain Molex confidential information, protected by law. If this message is confidential, forwarding it to individuals, other than those with a need to know, without the permission of the sender, is prohibited.
This message is also intended for a specific individual. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message or taking of any action based upon it, is strictly prohibited.
Chinese Japanese
www.molex.com/confidentiality.html
Re: Apache Cookie Buffer Overflow
Posted by de...@hanik.com.
you scanner "may not work so well", it thinks that Tomcat is Apache httpd,
The warnings you see, and the suggested fix, are related to
httpd.apache.org, not tomcat.apache.org
two different prouducts
> Hello,
>
> We just installed a JBOSS server in our production Environment...
> Apparently JBOSS came bundled with Apache Tomcat/5.5.9
>
> Our current environment is:
> Windows 2003 SP1
> JBOSS 4.0.2
> JVM Version: 1.4.2_11-b06
> Apache Tomcat/5.5.9
>
> Our security scanner has picked up 2 security vulnerabilities on this
> server.
>
> "Apache Cookie Buffer Overflow"
> "HTTP Buffer Overflows"
>
> Our security scanner indicated that we need to upgrade from Apache v1.1.1
> to v1.3.2... but since we are already on Apache Tomcat/5.5.9... I don't
> think that is correct.
>
> The scanner also indicated that we may be able to change a field in Apache
> called LimitRequestFieldsize... Thus far I have been unable to find this
> LimitRequestFieldsize field in any of our config files...
>
> Is the LimitRequestFieldsize in Apache V.1.1.1 the same as
> maxHttpHeaderSize in Apache Tomcat/5.5.9?
>
> Any suggestions would be appreciated.
> Thank you
> --Doug
>
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This message (including any attachments) may
> contain Molex confidential information, protected by law. If this message
> is confidential, forwarding it to individuals, other than those with a
> need to know, without the permission of the sender, is prohibited.
>
> This message is also intended for a specific individual. If you are not
> the intended recipient, you should delete this message and are hereby
> notified that any disclosure, copying, or distribution of this message or
> taking of any action based upon it, is strictly prohibited.
>
> Chinese Japanese
>
> www.molex.com/confidentiality.html
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org