Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 349 invoked from network); 6 Oct 2000 20:16:21 -0000 Received: from repulse.concentric.net (HELO repulse.cnchost.com) (207.155.248.4) by locus.apache.org with SMTP; 6 Oct 2000 20:16:21 -0000 Received: from userinterface.com (w061.z208176139.sjc-ca.dsl.cnc.net [208.176.139.61]) by repulse.cnchost.com id QAA06522; Fri, 6 Oct 2000 16:16:21 -0400 (EDT) [ConcentricHost SMTP Relay 1.10] Errors-To: Message-ID: <39DE3371.9325934D@userinterface.com> Date: Fri, 06 Oct 2000 13:17:54 -0700 From: Tim McNerney X-Mailer: Mozilla 4.74 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: tomcat-user@jakarta.apache.org, tomcat-dev@jakarta.apache.org Subject: RE: Tomcat Security Vulnerability Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N Just a general note. Using a firewall to protect a port or using IP filtering or changing the port number are not fixes to the security problem. They are workarounds. Being able to shut down the server remotely is a serious security hole and needs to be treated as such. Some of the responders seem to realize this while others didn't. But make no mistake, offering "use a firewall" as a solution will quickly lead to many people loosing faith in the viability of Tomcat as a commercial grade servlet solution. "Use a firewall" is only a reasonable solution for the problems you don't know about. If its a problem you know about, you need to fix the problem. --Tim