Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 10563 invoked from network); 12 Dec 2000 18:01:15 -0000 Received: from lukla.sun.com (192.18.98.31) by locus.apache.org with SMTP; 12 Dec 2000 18:01:15 -0000 Received: from centralmail1.Central.Sun.COM ([129.147.62.10]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id LAA29891 for ; Tue, 12 Dec 2000 11:01:14 -0700 (MST) Received: from esun1as-mm. (esun1as-mm.Central.Sun.COM [129.147.34.144]) by centralmail1.Central.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with SMTP id LAA27158 for ; Tue, 12 Dec 2000 11:01:14 -0700 (MST) Received: from eng.sun.com by esun1as-mm. (SMI-8.6/SMI-SVR4) id LAA29469; Tue, 12 Dec 2000 11:15:07 -0700 Message-ID: <3A366846.69F491C7@eng.sun.com> Date: Tue, 12 Dec 2000 10:02:47 -0800 From: "Craig R. McClanahan" X-Mailer: Mozilla 4.76 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: tomcat-dev@jakarta.apache.org Subject: Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2 References: <3A357D3D.302585D7@eng.sun.com> <3A363F7B.C6DCD6E9@voyager.apg.more.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N Glenn Nielsen wrote: > Very shortly I will have some updated documents for configuring Tomcat to use > the Java SecurityManager under various flavors of MS Windows. I would like > to get this into the 3.2.1 release. > > +1 If you can hold off a day so I can get these documents updated > I would be really uncomfortable holding off security related fixes for "feature" improvements (or even bug fixes), when we can roll a 3.2.2 release as soon as the changes are committed and tested. Keep in mind that we're bypassing the usual "beta test" period if we release 3.2.1 ASAP, so adding lots of things creates some measure of risk. > Regards, > > Glenn > Craig PS: Thanks to Arieh for catching my stupid typo in the fixes for META-INF and WEB-INF checking ... I will make sure those are repaired before cutting the real releases.