tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean" <jaka...@wideasleep.com>
Subject Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
Date Tue, 12 Dec 2000 17:07:34 GMT
I have to agree with Arieh on this one.  Coming from an organization that
has a very rigerous change management process I know that it can take
upwards of 4 months to release a piece of software, let alone a server
upgrade that is not just a security fix.  If it adds features above and
beyond the current rev then all of the parties with applications or code on
that server have to be notified and they have to submit change management
requests for testing etc .... Imagine a coders hell ... and you have change
management.

I think a 3.1.1 release makes sence but I also think it is important in the
release notes that we not only tell them that it is important that they
attempt to get on the latest rev of tomcat (3.2.1 in this case) but if we
can also make some suggestions on how they can start changing their coding
now to prepare for the 4.0 transition.  I am not sure if that is easier said
then done but it is a suggestions ...

Sean

----- Original Message -----
From: "Arieh Markel" <Arieh.Markel@central.sun.com>

> > > I'm certainly game to remove 3.1 once we know that 3.1.1 doesn't
introduce any
> > > nasty
> > > problems, but just removing 3.1 doesn't help all the thousands of
people who
> > > have
> > > apps running on 3.1 and who cannot, for various reasons, immediately
upgrade.
> >
> > They can upgrade to 3.1.1 but not 3.2? Huh?
>
> Yes, that is actually the situation.
>
> I can tell you that in our application, the changes implied by moving from
> 3.1 to 3.2 were significant (we use Tomcat in an embedded manner,
dynamically
> incorporating servlets to contexts), mainly because there were
implementation
> differences in the APIs (for Contexts, facades, etc).
>
> >
> > No, make people upgrade to 3.2. There are WAY to many advantages to
having
> > 3.2.
>
> We cannot 'make people upgrade'. There are organizations that rely on
> a certain revision of the software. The decision of upgrading or not is
not
> only hinged on the advantages but in the drawbacks (the time to
regression-test
> that the application still functions, the time to spend to verify that the
> change is 'transparent', etc), therefore, there are going to be users that
> will not upgrade to 3.2 but will be willing to move to 3.1.1.
>
> I would argue that a move from 3.1 to 3.1.1 falls into the category of
> transparent move, while not being able to say the same of moving from 3.1
> to 3.2.
>
> Arieh
> >
> > -jon
> >
> > --
> > Honk if you love peace and quiet.
> >
>
> --
>  Arieh Markel                 Sun Microsystems Inc.
>  Network Storage                        500 Eldorado Blvd. MS UBRM11-194
>  e-mail: arieh.markel@sun.COM           Broomfield, CO 80021
>  Let's go Panthers !!!!                 Phone: (303) 272-8547 x78547
>  (e-mail me with subject SEND PUBLIC KEY to get public key)
>


Mime
View raw message