Re: Reg Sendfile Feature

[Mark Thomas]

On 20/04/2017 17:14, Durga Srinivasu Karuturi wrote:
> Hi,
> 
> We are trying to analyze two of the below CVEs related to tomcat sendfile
> feature.
> 
> CVE-2017-5647 (Production tomcat 8.0.26)
> CVE-2017-5651(Current tomcat 8.5.12)
> 
> We are enabling compression with NIO connector.
> 
> As per docs, connector level by default sendfile is enabled and sendfile
> takes precedence over compression.
> 
> We are not setting any request attribute "org.apache.tomcat.sendfile.support"
> to enable this support also.
> 
> With this can we assume sendfile will not be used and these two CVEs are
> not application for us.

No.

> Or Do we need to disable connector level to completed turnoff sendfile?
> 
> Please clarify.

send file will still be used for static content unless send file is
disabled on the connector.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reg Sendfile Feature

[Durga Srinivasu Karuturi]

Hi,

We are trying to analyze two of the below CVEs related to tomcat sendfile
feature.

CVE-2017-5647 (Production tomcat 8.0.26)
CVE-2017-5651(Current tomcat 8.5.12)

We are enabling compression with NIO connector.

As per docs, connector level by default sendfile is enabled and sendfile
takes precedence over compression.

We are not setting any request attribute "org.apache.tomcat.sendfile.support"
to enable this support also.

With this can we assume sendfile will not be used and these two CVEs are
not application for us.

Or Do we need to disable connector level to completed turnoff sendfile?

Please clarify.

Thanks,
Durga Srinivasu