Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-19 Thread Harish Krishnan
Thanks a lot for the clear explanation, Mark. I have all my questions answered, appreciate your help & you guys are Great! My apologies for the previous follow-up emails, I am still a novice in tomcat & failed in understanding the exact fix quicker. regards Harish Krishnan On Wed, Mar 16, 2016

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-18 Thread Mark Thomas
On 15/03/2016 20:58, Harish Krishnan wrote: > Hello There, > > I am kind of blocked here in my project while applying your CVE fix in our > product & verify the fix. Any guidelines on what i am doing (mentioned in > my previous email) wrong is highly appreciated. You are failing to follow the

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-15 Thread Harish Krishnan
Hello There, I am kind of blocked here in my project while applying your CVE fix in our product & verify the fix. Any guidelines on what i am doing (mentioned in my previous email) wrong is highly appreciated. All i am trying to do is, disable the redirect for the root (Ex: /manager & /examples

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-14 Thread Harish Krishnan
Any help on my previous question is really appreciated. Thank You! On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan wrote: > Thanks again for the reply, Chris & Violeta! > Thanks for clarifying what the "protected directory" is, even i guessed it > to be same. Now i

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-11 Thread Harish Krishnan
Thanks again for the reply, Chris & Violeta! Thanks for clarifying what the "protected directory" is, even i guessed it to be same. Now i understood the fix for the directories protected by a security constraint. I also verified this & the redirect is no more happening for these protected ones.

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-09 Thread Christopher Schultz
Harish, On 3/8/16 5:47 PM, Harish Krishnan wrote: > Thanks Chris for the reply. > Looks like my understanding of the fix is incorrect. > I assumed (my bad) that, with the fix for this CVE in place (tomcat > 7.0.68) + setting the additional context attribute >

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-09 Thread Violeta Georgieva
Hi Harish, 2016-03-09 0:47 GMT+02:00 Harish Krishnan : > > Thanks Chris for the reply. > Looks like my understanding of the fix is incorrect. > I assumed (my bad) that, with the fix for this CVE in place (tomcat > 7.0.68) + setting the additional context attribute >

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-08 Thread Harish Krishnan
Thanks Chris for the reply. Looks like my understanding of the fix is incorrect. I assumed (my bad) that, with the fix for this CVE in place (tomcat 7.0.68) + setting the additional context attribute (mapperContextRootRedirectEnabled="false"), all the redirects for that webapp where context

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harish, On 3/7/16 6:02 PM, Harish Krishnan wrote: > Unfortunately, i still could not verify this vulnerability as it > still appears not fixed & my requests get redirected. What makes you think that the requests should not be redirected? > Instead

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-07 Thread Harish Krishnan
Thanks for the reply, Mark. Unfortunately, i still could not verify this vulnerability as it still appears not fixed & my requests get redirected. Instead of using the manager webapp that comes default in tomcat, we created a sample webapp with the following security constraint -

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-07 Thread Mark Thomas
On 07/03/2016 20:23, Harish Krishnan wrote: > Hi There, > > I am verifying the fix that you made for CVE-2015-5345 & it appears to be > not fixed. I might be doing something wrong & hence sending out this email > to you. > All i did was, > a) Downloaded & installed the latest tomcat build

Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-07 Thread Harish Krishnan
Hi There, I am verifying the fix that you made for CVE-2015-5345 & it appears to be not fixed. I might be doing something wrong & hence sending out this email to you. All i did was, a) Downloaded & installed the latest tomcat build 7.0.68. b) Added the following context attribute to manager