-----BEGIN PGP SIGNED MESSAGE-----
CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2
Multiple (was The Apache Software Foundation)
Description (new information):
This vulnerability was originally reported to the Apache Software Foundation as
a Tomcat vulnerability. Investigations quickly identified that the root cause
was an issue with the UTF-8 charset implementation within the JVM. The issue
existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and
It was decided to continue to report this as a Tomcat vulnerability until such
time as the JVM vendors had released fixed versions.
Unfortunately, the release of fixed JVMs and associated vulnerability disclosure
has not been co-ordinated. There has been some confusion within the user
community as to the nature and root cause of CVE-2008-2938. Therefore, the
Apache Tomcat Security Team is issuing this update to clarify the situation.
Contact your JVM vendor for further information.
Tomcat users may upgrade as follows to a Tomcat version that contains a workaround:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should upgrade to 4.1.39
This additional information was discovered by the Apache security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----