lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <494A7E59.80909@apache.org>
Date: Thu, 18 Dec 2008 16:46:17 +0000
From: Mark Thomas <markt@...che.org>
To: full-disclosure@...ts.grok.org.uk,
	Tomcat Developers List <dev@...cat.apache.org>,
	Apache Tomcate private security list <security@...cat.apache.org>,
	bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability
 - Update 2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2

Severity: Important

Vendor:
Multiple (was The Apache Software Foundation)

Versions Affected:
Various

Description (new information):
This vulnerability was originally reported to the Apache Software Foundation as
a Tomcat vulnerability. Investigations quickly identified that the root cause
was an issue with the UTF-8 charset implementation within the JVM. The issue
existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and
Apache.

It was decided to continue to report this as a Tomcat vulnerability until such
time as the JVM vendors had released fixed versions.

Unfortunately, the release of fixed JVMs and associated vulnerability disclosure
has not been co-ordinated. There has been some confusion within the user
community as to the nature and root cause of CVE-2008-2938. Therefore, the
Apache Tomcat Security Team is issuing this update to clarify the situation.

Mitigation:
Contact your JVM vendor for further information.
Tomcat users may upgrade as follows to a Tomcat version that contains a workaround:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should upgrade to 4.1.39

Credit:
This additional information was discovered by the Apache security
team.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklKflkACgkQb7IeiTPGAkPEqwCg5WiCeyaGrUbP/PTIhqF8TGZt
DcsAoJIx+NnKCCAk2JxGftVZbxxPrWGl
=JALs
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ