On 09/03/2012 23:55, Au, Leon wrote: > On 3/9/12 2:19 PM, "Jayant Sane" <jayant_s...@hotmail.com> wrote: > >> >> >> Pardon the re-post but I just wanted some kind of ack from the Tomcat dev >> team on the following. >> Has the "Tomcat WAR deployment directory traversal..." issue as detailed >> in http://securitytracker.com/id/1023504 been fixed in version 7.0.023? >> As I mentioned, the Apache security team wont comment on known security >> issues. > > According to your link, only Tomcat major version 5 and 6 were affected. > Also, the issue was report Jan 25, 2010. Tomcat 7.0.23 was released Nov > 25, 2011. I imagine that any issue would have been patched well before > that. > > http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Tomcat 7.0.2 was released as a beta on 2010-08-11 around 7 months after the bug was reported. There have been no fixes to the Cluster since 7.0.22, and the previous 3 versions didn't appear to address such a bug in the cluster mods, so this is v likely to be a false positive from a poor scan. p > Leon > >> >> many thanks,Jayant >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808]
signature.asc
Description: OpenPGP digital signature