-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 George,
On 7/24/20 15:15, George Stanchev wrote: > The description for this CVE is pretty vague (as perhaps > necessary) but we have a customer that is trying to assess their > risk for this CVE. Their risk is probably very low. Their risk of a bunch of other "important" items included in later releases is probably much higher. What's going on at this client that they are rapidly approaching an 8-month delay in issuing this security patch? > They are behind a reverse-proxy. Even though the description on > Tomcat's security page states that the risk is low it doesn't > describe how would a reverse-proxy mishandle the Transfer-Encoding > in order to compromise the backend Tomcat server. It's a fairly small window of opportunity. Basically, several bugs in both the reverse proxy /and/ Tomcat would have to both be present in order to thread the needle. > Any information about this exploit would be appreciated. (I did > try to read the commit but it is rather large so it would require > more time to unroll the fix for me than getting a direct > answer)... Nobody from the Security Team is going to explain how to exploit this or test to see if you are vulnerable. Sorry. :( - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8bVSUACgkQHPApP6U8 pFjXJg//Zto3QQN0sdPgl/JNCFwJTMdzQg1+OzwebLLa+epRmdkZ5HpUBTGpB5Uh JHRHu/U1CnFUaCOUNYCix5TaqyKErODhouJlGG7uII68EqMb+xSB0qMRvr16tqrp l32wv6PE/ehSN/1VTpWwOvctEifYAuK8CFEs4U6iOfKhPKNew/ynv2DeErD0rS9n d8IQLGK255CWx3CiYDUT+eGCgJ1eVSVed0jZU00iADoivCK4MAWO3b6Cn66QFHLq Qe0Siq0ZuY3BvWYOvHybtaDJiEEgLar6v/15ueslsh7q20m+SyOi+5HEikTSlUhU Ws5PREOAJuGVk2HT9NL2OgSRtcT/zAi7WPkGaa20wOugoTB/bcPOjoT37BxpPpsB YffsGVPiTEwlLX29jY09X/JfgyI0HWIkZVUrvIxuAdVqRyfbz4PNqSvz45HUS66X fWnfAYPw3l6pDPWtdu0Hqc/oQtuDOyfzVLsEjgx3cCxnTY5honEVpL6Gt+P9AQQY tlBdtEpynrvmiF2aE+dxu2GbdtjoDaHouE5eqBuA1VCFiLmMb5HHey1N6j/yLZke ffc6IQToyCdeubgf+qGP3wC5eYUOVmy3LCZEPU/LzbckW0xF28GPCKmwZ4FyKr1W EKMtKr25ibHJDp60DhbCD8eqGFHfWC5JGNjS0Gqkr798kf4qghU= =dU// -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org