Re: Want to confirm fix of a security vulnerability
On 09/03/2012 23:55, Au, Leon wrote: On 3/9/12 2:19 PM, Jayant Sane jayant_s...@hotmail.com wrote: Pardon the re-post but I just wanted some kind of ack from the Tomcat dev team on the following. Has the Tomcat WAR deployment directory traversal... issue as detailed in http://securitytracker.com/id/1023504 been fixed in version 7.0.023? As I mentioned, the Apache security team wont comment on known security issues. According to your link, only Tomcat major version 5 and 6 were affected. Also, the issue was report Jan 25, 2010. Tomcat 7.0.23 was released Nov 25, 2011. I imagine that any issue would have been patched well before that. http://tomcat.apache.org/tomcat-7.0-doc/changelog.html Tomcat 7.0.2 was released as a beta on 2010-08-11 around 7 months after the bug was reported. There have been no fixes to the Cluster since 7.0.22, and the previous 3 versions didn't appear to address such a bug in the cluster mods, so this is v likely to be a false positive from a poor scan. p Leon many thanks,Jayant - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Want to confirm fix of a security vulnerability
On 09.03.2012 23:19, Jayant Sane wrote: Pardon the re-post but I just wanted some kind of ack from the Tomcat dev team on the following. Has the Tomcat WAR deployment directory traversal... issue as detailed in http://securitytracker.com/id/1023504 been fixed in version 7.0.023? As I mentioned, the Apache security team wont comment on known security issues. It was fixed by http://svn.apache.org/viewvc?view=revisionrevision=892795 before the first release of TC 7. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Want to confirm fix of a security vulnerability
Pardon the re-post but I just wanted some kind of ack from the Tomcat dev team on the following. Has the Tomcat WAR deployment directory traversal... issue as detailed in http://securitytracker.com/id/1023504 been fixed in version 7.0.023? As I mentioned, the Apache security team wont comment on known security issues. many thanks,Jayant - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Want to confirm fix of a security vulnerability
On 3/9/12 2:19 PM, Jayant Sane jayant_s...@hotmail.com wrote: Pardon the re-post but I just wanted some kind of ack from the Tomcat dev team on the following. Has the Tomcat WAR deployment directory traversal... issue as detailed in http://securitytracker.com/id/1023504 been fixed in version 7.0.023? As I mentioned, the Apache security team wont comment on known security issues. According to your link, only Tomcat major version 5 and 6 were affected. Also, the issue was report Jan 25, 2010. Tomcat 7.0.23 was released Nov 25, 2011. I imagine that any issue would have been patched well before that. http://tomcat.apache.org/tomcat-7.0-doc/changelog.html Leon many thanks,Jayant - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org