Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5
On 02/07/2021 16:44, James H. H. Lampert wrote: On 7/2/21 12:02 AM, Mark Thomas wrote: It is an alternative session manager that persists session data via a configured Store. There are two Store implementations provided by default - File and DataSource. You would know if you were using it as it requires explicit configuration. Thanks for the specific documentation link; I would not have known where to look in the docs. My friends and colleagues seem to think I have brilliant research skills; in fact, I simply have no qualms about asking for help. Our webapp totally lacks a "context.xml" (I looked for one) but I see such files, with Manager elements, in the manager and host-manager webapps. Are they affected by CVE-2021-25329/CVE-2020-9484? Not unless you have changed the default configuration to use the persistent manager (via the className attribute). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5
James, On 7/2/21 11:44, James H. H. Lampert wrote: On 7/2/21 12:02 AM, Mark Thomas wrote: It is an alternative session manager that persists session data via a configured Store. There are two Store implementations provided by default - File and DataSource. You would know if you were using it as it requires explicit configuration. Thanks for the specific documentation link; I would not have known where to look in the docs. My friends and colleagues seem to think I have brilliant research skills; in fact, I simply have no qualms about asking for help. Our webapp totally lacks a "context.xml" (I looked for one) but I see such files, with Manager elements, in the manager and host-manager webapps. Are they affected by CVE-2021-25329/CVE-2020-9484? Incidentally, speaking of those webapps, when installing, we immediately jettison all as-shipped webapps *except* manager and host-manager. We use manager all the time, but I'm not even sure what host-manager does. I honestly have never seen a real-world use-case for where the host-manager is useful. I'm sure its critically important for somebody out there, though. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5
On 7/2/21 12:02 AM, Mark Thomas wrote: It is an alternative session manager that persists session data via a configured Store. There are two Store implementations provided by default - File and DataSource. You would know if you were using it as it requires explicit configuration. Thanks for the specific documentation link; I would not have known where to look in the docs. My friends and colleagues seem to think I have brilliant research skills; in fact, I simply have no qualms about asking for help. Our webapp totally lacks a "context.xml" (I looked for one) but I see such files, with Manager elements, in the manager and host-manager webapps. Are they affected by CVE-2021-25329/CVE-2020-9484? Incidentally, speaking of those webapps, when installing, we immediately jettison all as-shipped webapps *except* manager and host-manager. We use manager all the time, but I'm not even sure what host-manager does. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org