-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated
Severity: Important (was moderate)
Vendor: The Apache Software Foundation
Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description (new information): Further investigation of CVE-2008-2938 has shown that the vulnerability also exists only with URIEncoding="UTF-8" set on the connector. In these configurations arbitrary files in the docBase for an application, including files such as web.xml, may be disclosed. Users should also be aware that this vulnerability will apply when processing requests with UTF-8 body encoding and useBodyEncodingForURI="true"
Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should upgrade to 5.5.27 4.1.x users should obtain the latest source from svn or apply this patch: http://svn.apache.org/viewvc?view=rev&revision=681065
Credit: This additional information was discovered by the Apache Tomcat security team.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8 CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ =Fi0E -----END PGP SIGNATURE-----