On 20/04/2017 17:14, Durga Srinivasu Karuturi wrote: > Hi, > > We are trying to analyze two of the below CVEs related to tomcat sendfile > feature. > > CVE-2017-5647 (Production tomcat 8.0.26) > CVE-2017-5651(Current tomcat 8.5.12) > > We are enabling compression with NIO connector. > > As per docs, connector level by default sendfile is enabled and sendfile > takes precedence over compression. > > We are not setting any request attribute "org.apache.tomcat.sendfile.support" > to enable this support also. > > With this can we assume sendfile will not be used and these two CVEs are > not application for us.
No. > Or Do we need to disable connector level to completed turnoff sendfile? > > Please clarify. send file will still be used for static content unless send file is disabled on the connector. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org