tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <>
Subject Re: Dealing with the Tomcat 3.3 "aux.jsp" DOS problem and a Tomcat 3. 3.1 release
Date Thu, 10 Jan 2002 01:26:18 GMT wrote:

> So far the changes in 3.3 tree were only bug fixes and
> what I've seen so far was pretty clear and simple -
> I think the head of 3.3 is as good or better than 3.3.0.

There were a few new features as well (at least STM pooling and 
SSLSessionID checks), but they should be either fairly safe (STM 
pooling) or turned off by default (SSLSessionID's). I agree that the 
current CVS version of 3.3 is better then the released 3.3. Many bugs 
have been fixed.

> We could also take 3.3.0, replace tomcat_utils.jar
> and label it 3.3.1  - and then in 2-3 weeks release
> 3.3.2 with te head.

Why don't we just say that due to recently discovered security issues, 
the release schedule has been changed and 3.3.1 is out with the latest 
security fixes. Then 3.3.2 gets released later in an orderly fashion.

> But I'm +1 on whatever you choose. Let me know if/how
> I can help - I don't have time but I could sleep less :-)

I concur with Costin here. Your pick is +1.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message