You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Restorff <ch...@criticalwatch.com> on 2012/02/07 21:01:47 UTC
Question regarding mappings for CVE-2005-4836
Hello,
I have a question regarding CVE-2005-4836:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4836
The security bulletin, http://tomcat.apache.org/security-4.html,
mentions that it will not be fixed in 4.x. However, there is no
indication as to whether it affects 5.x or beyond. Is this issue
persistent in the 5, 6, and 7 versions? If not, which versions are not
affected.
Any help will be greatly appreciated. Thank you for your time.
Sorry if this is a repost. I think I sent it to the wrong address and
never got any responses/confirmation that it went through.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding mappings for CVE-2005-4836
Posted by Christopher Restorff <ch...@criticalwatch.com>.
> If you carefully read the security report for Tomcat 4, you'll see
> that the bug exists in a deprecated connector. If you are using the
> standard Coyote connector, then you are safe.
>
> For completeness, these are the connectors that are vulnerable to this
> issue:
> org.apache.coyote.tomcat4.CoyoteConnector
> org.apache.catalina.connector.http.HttpConnector
>
> Neither of these classes are included in the current 5.5 line
> (5.5.35), nor are they included in the current 6.0 line (6.0.35), nor
> are they included in the current 7.0 line (7.0.25).
>
> If you are using a currently-supported version of Tomcat and you are
> up to date, then you are not vulnerable to this ancient vulnerability.
Thanks! That was the information I needed. I was unable to find the
information on which connectors and was at a lost. I've now looked into
them.
Thank you both Chris and Leon for your help.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding mappings for CVE-2005-4836
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher,
On 2/7/12 3:01 PM, Christopher Restorff wrote:
> I have a question regarding CVE-2005-4836:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4836
Wow. Blast from the past.
> The security bulletin, http://tomcat.apache.org/security-4.html,
> mentions that it will not be fixed in 4.x. However, there is no
> indication as to whether it affects 5.x or beyond.
Sure there is: look at the section on the page above titled
"Vulnerable software and versions". It clearly says that certain
versions of Tomcat 5.0.x and 5.0.x are affected.
> Is this issue persistent in the 5, 6, and 7 versions? If not,
> which versions are not affected.
If you carefully read the security report for Tomcat 4, you'll see
that the bug exists in a deprecated connector. If you are using the
standard Coyote connector, then you are safe.
For completeness, these are the connectors that are vulnerable to this
issue:
org.apache.coyote.tomcat4.CoyoteConnector
org.apache.catalina.connector.http.HttpConnector
Neither of these classes are included in the current 5.5 line
(5.5.35), nor are they included in the current 6.0 line (6.0.35), nor
are they included in the current 7.0 line (7.0.25).
If you are using a currently-supported version of Tomcat and you are
up to date, then you are not vulnerable to this ancient vulnerability.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8xiEwACgkQ9CaO5/Lv0PDf0wCgqqpipQWaqzK6WiFzM6VYxphD
MFwAoI/ehmi+V/K9XUSJSReMxiFGjuTQ
=5uIJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding mappings for CVE-2005-4836
Posted by "Au, Leon" <le...@amazon.com>.
On 2/7/12 12:01 PM, "Christopher Restorff"
<ch...@criticalwatch.com> wrote:
>Hello,
>
>I have a question regarding CVE-2005-4836:
>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4836
>
>The security bulletin, http://tomcat.apache.org/security-4.html,
>mentions that it will not be fixed in 4.x. However, there is no
>indication as to whether it affects 5.x or beyond. Is this issue
>persistent in the 5, 6, and 7 versions? If not, which versions are not
>affected.
The link that you posted has a section on vulnerable software and
versions. My guess is that it has the complete list of all versions
affected.
Leon
>
>Any help will be greatly appreciated. Thank you for your time.
>
>Sorry if this is a repost. I think I sent it to the wrong address and
>never got any responses/confirmation that it went through.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org