tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arieh Markel <Arieh.Mar...@central.sun.com>
Subject Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
Date Tue, 12 Dec 2000 15:45:52 GMT

> Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
> list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
> list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> list-post: <mailto:tomcat-dev@jakarta.apache.org>
> Delivered-To: mailing list tomcat-dev@jakarta.apache.org
> User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022
> Subject: Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
> From: Jon Stevens <jon@latchkey.com>
> To: <tomcat-dev@jakarta.apache.org>
> X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N
> 
> on 12/11/2000 5:59 PM, "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
> wrote:
> 
> > I'm certainly game to remove 3.1 once we know that 3.1.1 doesn't introduce any
> > nasty
> > problems, but just removing 3.1 doesn't help all the thousands of people who
> > have
> > apps running on 3.1 and who cannot, for various reasons, immediately upgrade.
> 
> They can upgrade to 3.1.1 but not 3.2? Huh?

Yes, that is actually the situation.

I can tell you that in our application, the changes implied by moving from
3.1 to 3.2 were significant (we use Tomcat in an embedded manner, dynamically
incorporating servlets to contexts), mainly because there were implementation
differences in the APIs (for Contexts, facades, etc).

> 
> No, make people upgrade to 3.2. There are WAY to many advantages to having
> 3.2.

We cannot 'make people upgrade'. There are organizations that rely on
a certain revision of the software. The decision of upgrading or not is not
only hinged on the advantages but in the drawbacks (the time to regression-test
that the application still functions, the time to spend to verify that the
change is 'transparent', etc), therefore, there are going to be users that
will not upgrade to 3.2 but will be willing to move to 3.1.1.

I would argue that a move from 3.1 to 3.1.1 falls into the category of
transparent move, while not being able to say the same of moving from 3.1
to 3.2.

Arieh
> 
> -jon
> 
> -- 
> Honk if you love peace and quiet.
> 

--
 Arieh Markel		                Sun Microsystems Inc.
 Network Storage                        500 Eldorado Blvd. MS UBRM11-194
 e-mail: arieh.markel@sun.COM           Broomfield, CO 80021
 Let's go Panthers !!!!                 Phone: (303) 272-8547 x78547
 (e-mail me with subject SEND PUBLIC KEY to get public key)


Mime
View raw message