You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jayant Sane <ja...@hotmail.com> on 2012/03/09 23:19:53 UTC
Want to confirm fix of a security vulnerability
Pardon the re-post but I just wanted some kind of ack from the Tomcat dev team on the following.
Has the "Tomcat WAR deployment directory traversal..." issue as detailed in http://securitytracker.com/id/1023504 been fixed in version 7.0.023?
As I mentioned, the Apache security team wont comment on known security issues.
many thanks,Jayant
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Want to confirm fix of a security vulnerability
Posted by Rainer Jung <ra...@kippdata.de>.
On 09.03.2012 23:19, Jayant Sane wrote:
> Pardon the re-post but I just wanted some kind of ack from the Tomcat dev team on the following.
> Has the "Tomcat WAR deployment directory traversal..." issue as detailed in http://securitytracker.com/id/1023504 been fixed in version 7.0.023?
> As I mentioned, the Apache security team wont comment on known security issues.
It was fixed by
http://svn.apache.org/viewvc?view=revision&revision=892795
before the first release of TC 7.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Want to confirm fix of a security vulnerability
Posted by Pid <pi...@pidster.com>.
On 09/03/2012 23:55, Au, Leon wrote:
> On 3/9/12 2:19 PM, "Jayant Sane" <ja...@hotmail.com> wrote:
>
>>
>>
>> Pardon the re-post but I just wanted some kind of ack from the Tomcat dev
>> team on the following.
>> Has the "Tomcat WAR deployment directory traversal..." issue as detailed
>> in http://securitytracker.com/id/1023504 been fixed in version 7.0.023?
>> As I mentioned, the Apache security team wont comment on known security
>> issues.
>
> According to your link, only Tomcat major version 5 and 6 were affected.
> Also, the issue was report Jan 25, 2010. Tomcat 7.0.23 was released Nov
> 25, 2011. I imagine that any issue would have been patched well before
> that.
>
> http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Tomcat 7.0.2 was released as a beta on 2010-08-11 around 7 months after
the bug was reported.
There have been no fixes to the Cluster since 7.0.22, and the previous 3
versions didn't appear to address such a bug in the cluster mods, so
this is v likely to be a false positive from a poor scan.
p
> Leon
>
>>
>> many thanks,Jayant
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
Re: Want to confirm fix of a security vulnerability
Posted by "Au, Leon" <le...@amazon.com>.
On 3/9/12 2:19 PM, "Jayant Sane" <ja...@hotmail.com> wrote:
>
>
>Pardon the re-post but I just wanted some kind of ack from the Tomcat dev
>team on the following.
>Has the "Tomcat WAR deployment directory traversal..." issue as detailed
>in http://securitytracker.com/id/1023504 been fixed in version 7.0.023?
>As I mentioned, the Apache security team wont comment on known security
>issues.
According to your link, only Tomcat major version 5 and 6 were affected.
Also, the issue was report Jan 25, 2010. Tomcat 7.0.23 was released Nov
25, 2011. I imagine that any issue would have been patched well before
that.
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Leon
>
>many thanks,Jayant
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org