tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Tomcat 4.0-beta-2 Security Vulnerability
Date Tue, 03 Apr 2001 01:48:52 GMT


On Tue, 3 Apr 2001, Punky Tse wrote:

> 
> And I think it is also good to state in the mail-announcement and in the
> jakarta website that the b2 have such security vulnerability when b3 is
> rolled out.
> 

It will.  The beta-2 release is also going to get pulled so that no one
will download it accidentally.

> Punky
> 

Craig


> 
> ----- Original Message -----
> From: "Craig R. McClanahan" <craigmcc@apache.org>
> To: <tomcat-dev@jakarta.apache.org>
> Sent: Tuesday, April 03, 2001 7:38 AM
> Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability
> 
> 
> >
> >
> > On Mon, 2 Apr 2001, Mel Martinez wrote:
> >
> > >
> > > --- "Craig R. McClanahan" <craigmcc@apache.org> wrote:
> > > >
> > > > I suggest that we create a revised version of beta
> > > > 2, clearly labelled so
> > > > that people will know whether they have the
> > > > corrected version or not --
> > > > and we should do this immediately (like today) to
> > > > minimize the number of
> > > > people who end up downloading twice.
> > > >
> > > > I suggest we call the updated version "Tomcat
> > > > 4.0-beta-2-update-1" or
> > > > something like that.
> > > >
> > > > Comments?  Votes?
> > > >
> > >
> > > I vote you just call it  "Tomcat-4.0-beta-3".  I don't
> > > recall ever being told there were limits to the number
> > > of betas one can produce.  :-)  I believe that a new
> > > beta number is justified by any significant bug fix or
> > > fixes and a security hole is definitely significant,
> > > even if the code change may be tiny.
> > >
> > > By labeling it 'beta-3' it is CLEARLY the latest build
> > > and CLEARLY newer than beta-2.
> > >
> >
> > Makes sense to me.  "Beta 3" it is.
> >
> > > fwiw,
> > >
> > > Dr. Mel Martinez
> > > G1440, Inc.
> > >
> >
> > Craig
> 
> 


Mime
View raw message