-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 6/5/2009 12:14 PM, Mark Thomas wrote: > Christopher Schultz wrote: >>> For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and >>> 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are >>> vulnerable. >> I'm afraid I still don't understand the vulnerability in 5.5's >> DataSourceRealm (the one I actually look at in detail): the NPE occurs >> (in the unpatched code) regardless of the presence of a valid user(name). > > You need to go back to what the code looked like between 5.5.0 and > 5.5.5. It was very different back then. Apologies: it's noon and I'm still bleary-eyed. I was reading "5.5.0 - 5.5.5" as "5.0 - 5.5". The actual "fix" then truly occurred between 5.5.0 and 5.5.5 in the 5.5.x branch, and the most recent commit amounts to both a performance optimization and triple-check that this type of bug won't bite again anytime soon. Thanks for clarifying (again). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopRXAACgkQ9CaO5/Lv0PBnGgCeOaKePvSB7Xm05aFqt0cPO6sR sGkAn19hZSb02h8jGnLtugt/3bIyZn0b =tJvn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org