Christopher Schultz wrote:
Mark,
On 6/3/2009 11:42 AM, Mark Thomas wrote:
CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide some
more info about this issue?
I'm sorry you have that impression. As I hope you see
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 6/5/2009 7:03 AM, Mark Thomas wrote:
Christopher Schultz wrote:
Mark,
On 6/3/2009 11:42 AM, Mark Thomas wrote:
CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide
Christopher Schultz wrote:
For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
vulnerable.
I'm afraid I still don't understand the vulnerability in 5.5's
DataSourceRealm (the one I actually look at in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 6/5/2009 12:14 PM, Mark Thomas wrote:
Christopher Schultz wrote:
For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and
4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are
vulnerable.
I'm afraid I still
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 6/3/2009 11:42 AM, Mark Thomas wrote:
CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide some
more info about this issue?
Due to insufficient error checking in some
On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
I don't see any information disclosure vulnerability in the first place,
and I don't see how your patch would have fixed it.
??!
The behavior was different if the user is not found of if the password is
It looks to me like the change fixes an NPE when a null or nonsense
password is given. The NPE would allow an attacker to determine if a
username is valid (without having to know the password). Not the most
serious security breach, but login protocols aren't supposed to let
you guess usernames.
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rémy,
On 6/4/2009 1:04 PM, Rémy Maucherat wrote:
On Thu, Jun 4, 2009 at 6:48 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
I don't see any information disclosure vulnerability in the first place,
and I don't see how your patch would
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2009-0580: Tomcat information disclosure vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
The unsupported Tomcat 3.x, 4.0.x and 5.0.x