RE: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Venkata Reddy (Trianz) 
Both the vulnerabilities are not impacted on tomcat6.0.x.
Thanks a lot Mark and  Rémy for providing the quick information. 

-Original Message-
From: Rémy Maucherat [mailto:r...@apache.org] 
Sent: 04 April 2018 17:32
To: Tomcat Users List
Subject: Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, 
CVE-2018-1305)?

On Wed, Apr 4, 2018 at 1:02 PM, Mark Thomas <ma...@apache.org> wrote:

> On 04/04/18 11:54, Rémy Maucherat wrote:
> > On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) < 
> > venkata.re...@trianz.com> wrote:
> >
> >> Hi Team,
> >>
> >> Could you please help me on whether tomcat6.0.53 version is also
> impacted
> >> with these vulnerabilities (CVE-2018-1304,
> >
> >
> > Yes.
>
> I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
> Did we back-port it?
>

Ok, I think you are right as the text on the "special" - it doesn't look so 
spacial to me, as it's an exact path - "" path seems to be added in Servlet 
3.0. It's a situation where I don't really know what it does in Tomcat 6.0.
On the other one, I know for sure there's no ServletSecurity annotation :)

Rémy


>
> Mark
>
>
> >
> >
> >> CVE-2018-1305)?
> >>
> >
> > No.
> >
> > Rémy
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
**This mail has been sent from an external source**

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Rémy Maucherat 
On Wed, Apr 4, 2018 at 1:02 PM, Mark Thomas  wrote:

> On 04/04/18 11:54, Rémy Maucherat wrote:
> > On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
> > venkata.re...@trianz.com> wrote:
> >
> >> Hi Team,
> >>
> >> Could you please help me on whether tomcat6.0.53 version is also
> impacted
> >> with these vulnerabilities (CVE-2018-1304,
> >
> >
> > Yes.
>
> I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
> Did we back-port it?
>

Ok, I think you are right as the text on the "special" - it doesn't look so
spacial to me, as it's an exact path - "" path seems to be added in Servlet
3.0. It's a situation where I don't really know what it does in Tomcat 6.0.
On the other one, I know for sure there's no ServletSecurity annotation :)

Rémy


>
> Mark
>
>
> >
> >
> >> CVE-2018-1305)?
> >>
> >
> > No.
> >
> > Rémy
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Mark Thomas 
On 04/04/18 11:54, Rémy Maucherat wrote:
> On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
> venkata.re...@trianz.com> wrote:
> 
>> Hi Team,
>>
>> Could you please help me on whether tomcat6.0.53 version is also impacted
>> with these vulnerabilities (CVE-2018-1304,
> 
> 
> Yes.

I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
Did we back-port it?

Mark


> 
> 
>> CVE-2018-1305)?
>>
> 
> No.
> 
> Rémy
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Rémy Maucherat 
On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
venkata.re...@trianz.com> wrote:

> Hi Team,
>
> Could you please help me on whether tomcat6.0.53 version is also impacted
> with these vulnerabilities (CVE-2018-1304,


Yes.


> CVE-2018-1305)?
>

No.

Rémy