Is there perhaps a patch that can be applied or better yet, a list of jars that are were affected by this? (I'm just trying to find a simple way to patch a large volume of servers)
On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark and Michael, > > On 10/10/18 05:15, Mark Thomas wrote: > > On 08/10/18 21:55, Michael Yoder wrote: > >> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas <ma...@apache.org> > >> wrote: > >>> CVE-2018-11784 Apache Tomcat - Open Redirect > >> > >> Is it possible to get more information on the "specially crafted > >> URL"? I'd like more information so that I can test if some of our > >> apps are vulnerable. > > > > Generally, there is a balance to strike here between making it easy > > for the less technically competent attackers to construct an attack > > and making it easy for end users to figure out if they are > > vulnerable. The way we typically do this is by describing the > > conditions necessary for an attack to be possible as completely as > > possible but not providing details of how to perform an attack. > > > > We also provide references to the commit that fixed the issue. For > > someone with the right skills, there is usually enough information > > in the description and the commit for a successful attack to be > > reverse engineered. > > It doesn't look like Sergey has posted anything (that I can find) that > might be called a full disclosure. If he had, I'd point it out. > > If I were you, I'd just make sure that you either (a) upgrade or (b) > use the existing settings to mitigate the potential problem, as > described in the announcement. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+C0QACgkQHPApP6U8 > pFhCJQ/9Gw/G8dw46y4ItHFCsPTDiTxGenxMmVAlxt7kisblb8H3o9vK8PU96+PD > Nb44/Vf5hp5XKN5Xuu3czyNjQ2l0QFb/WxZyqSnlWPEWOQs7a6ZFez9MQZ1W1H13 > t6qRCSgcOWcrHvXBKjshspHzY6XeQq2Q5kzHntbVZKjQMQif/Cd73XYX0/GIukcF > 4tKhQIXRNh99/NOsw6Ot+DgVjksVhVgg62sOuAe7gUh/UNginc07JvYBa9rKgAz+ > JP3Z+PvUyCJFzGSoT1cYAniU+ZNiayquEmMxVeJ4VX6ZK2PMhPjEt58yD3NTOCaN > fAE7ct9UICZ8g9WP22OcTAfaYgUSBGSCOxd7DkqM/o06Lv2bTsiWYtOr8bhHNnrO > S7hJJ5a6Tm7TbN4Insm+BQhvts5FeDAsKM92TWGTrAZ52LEhdS2twsRcmCQDE69z > +mmjRTl+W9UTxl6JTmDHj10d/aWYaA3f2SpZ4A18rRP4JSXQm7Ls/st8hR/TwdKC > LsQ9RnmrDLgtSyql9keWhwaD28iQix5KgfFXOLrByCByzORnbP3z9VEu1knO1r1f > Voe8wq8lDf56vRsr5VjjqSgmkeabtz8uxymOSbt8b3spQ6Q2J7y86MDA3/I7ZjTx > cqgS2JyYAgtlD6vyiNeYRG14XBly3vFZeoCmw6CKFSTFSdK8r3I= > =2IHD > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >