Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 11643 invoked from network); 9 Oct 2000 17:44:01 -0000 Received: from hellfire.clearink.com (HELO clearink.com) (205.227.191.11) by locus.apache.org with SMTP; 9 Oct 2000 17:44:01 -0000 Received: from [131.161.251.227] ([131.161.251.227]) by clearink.com (8.10.2/8.10.2) with ESMTP id e99Hi0k14626 for ; Mon, 9 Oct 2000 10:44:00 -0700 User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Date: Mon, 09 Oct 2000 10:44:07 -0700 Subject: Re: Tomcat Security Vulnerability From: Jon Stevens To: Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N on 10/9/2000 10:36 AM, "cmanolache@yahoo.com" wrote: > I don't want this to sound too bad - tomcat is the result of many > individuals contributing code they feel it's needed. I contributed the > original implementation of Ajp12 for tomcat, and my goal was to make it > easy for people to transition from jserv2.0 to tomcat. In my experience > with web servers I haven't met too many production sites without a > firewall ( and tomcat3.0 and before used a simple RMI mechanism that had > no extra password ) > > I personally believe that a firewall and/or IP-level rules are the best > solution to allow/deny access to a certain port. I may be wrong, and it's > clear other people have different opinions - but that's my experience and > what I think. > > Costin If there is a hole that can be easily fixed (or was even *fixed* at one point) then it should be fixed again by the person who broke it. -jon -- http://scarab.tigris.org/ | http://noodle.tigris.org/ http://java.apache.org/ | http://java.apache.org/turbine/ http://www.working-dogs.com/ | http://jakarta.apache.org/velocity/ http://www.collab.net/ | http://www.sourcexchange.com/