You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Venkata Reddy (Trianz)" <Ve...@trianz.com> on 2018/04/04 10:05:37 UTC

Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

Hi Team,

Could you please help me on whether tomcat6.0.53 version is also impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

This information is very critical for us.

Unfortunately we are still on the process of migrating our current tomcat6.0.x version usage to tomcat8.5.x.

Thanks in advance.

RE: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

Posted by "Venkata Reddy (Trianz)" <Ve...@trianz.com>.

Both the vulnerabilities are not impacted on tomcat6.0.x.
Thanks a lot Mark and  Rémy for providing the quick information. 

-----Original Message-----
From: Rémy Maucherat [mailto:remm@apache.org] 
Sent: 04 April 2018 17:32
To: Tomcat Users List
Subject: Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

On Wed, Apr 4, 2018 at 1:02 PM, Mark Thomas <ma...@apache.org> wrote:

> On 04/04/18 11:54, Rémy Maucherat wrote:
> > On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) < 
> > Venkata.Reddy@trianz.com> wrote:
> >
> >> Hi Team,
> >>
> >> Could you please help me on whether tomcat6.0.53 version is also
> impacted
> >> with these vulnerabilities (CVE-2018-1304,
> >
> >
> > Yes.
>
> I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
> Did we back-port it?
>

Ok, I think you are right as the text on the "special" - it doesn't look so spacial to me, as it's an exact path - "" path seems to be added in Servlet 3.0. It's a situation where I don't really know what it does in Tomcat 6.0.
On the other one, I know for sure there's no ServletSecurity annotation :)

Rémy


>
> Mark
>
>
> >
> >
> >> CVE-2018-1305)?
> >>
> >
> > No.
> >
> > Rémy
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
**This mail has been sent from an external source**

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

Posted by Rémy Maucherat <re...@apache.org>.

On Wed, Apr 4, 2018 at 1:02 PM, Mark Thomas <ma...@apache.org> wrote:

> On 04/04/18 11:54, Rémy Maucherat wrote:
> > On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
> > Venkata.Reddy@trianz.com> wrote:
> >
> >> Hi Team,
> >>
> >> Could you please help me on whether tomcat6.0.53 version is also
> impacted
> >> with these vulnerabilities (CVE-2018-1304,
> >
> >
> > Yes.
>
> I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
> Did we back-port it?
>

Ok, I think you are right as the text on the "special" - it doesn't look so
spacial to me, as it's an exact path - "" path seems to be added in Servlet
3.0. It's a situation where I don't really know what it does in Tomcat 6.0.
On the other one, I know for sure there's no ServletSecurity annotation :)

Rémy

>
> Mark
>
>
> >
> >
> >> CVE-2018-1305)?
> >>
> >
> > No.
> >
> > Rémy
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

Posted by Mark Thomas <ma...@apache.org>.

On 04/04/18 11:54, Rémy Maucherat wrote:
> On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
> Venkata.Reddy@trianz.com> wrote:
> 
>> Hi Team,
>>
>> Could you please help me on whether tomcat6.0.53 version is also impacted
>> with these vulnerabilities (CVE-2018-1304,
> 
> 
> Yes.

I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
Did we back-port it?

Mark


> 
> 
>> CVE-2018-1305)?
>>
> 
> No.
> 
> Rémy
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

Posted by Rémy Maucherat <re...@apache.org>.

On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
Venkata.Reddy@trianz.com> wrote:

> Hi Team,
>
> Could you please help me on whether tomcat6.0.53 version is also impacted
> with these vulnerabilities (CVE-2018-1304,


Yes.


> CVE-2018-1305)?
>

No.

Rémy