tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Isaacs <>
Subject RE: Dealing with the Tomcat 3.3 "aux.jsp" DOS problem and a Tomca t 3. 3.1 release
Date Thu, 10 Jan 2002 01:55:55 GMT
Because most of the changes have been bug fixes, I'm figuring the
3.3.1 final will follow the beta a week later, maybe two.  Then,
3.3.2 can follow at its own pace. 
Unlike prior releases, I plan to give it a good testing as part of
developing the release plan.  I have typically left this to when
I'm trying to actually build the release when I often discover a
breakage or two that need fixing and another time consuming
retest.  (FYI: Though perhaps not terribly important, the
current HEAD of jakarta-tomcat doesn't build or run on
JDK 1.1.8, at least not on my Windows systems).
Since it won't be possible to fetch the "patched 3.3" from
CVS using a tag or branch, I'm reluctant to give it a normal
version number.  "3.3a" seems like a reasonable alternative.
I'll provide full tar.gzs and zips in addition to jars to update
an existing Tomcat 3.3 installation.

-----Original Message----- 
From: Bojan Smojver [] 
Sent: Wed 1/9/2002 8:26 PM 
To: Tomcat Developers List 
Subject: Re: Dealing with the Tomcat 3.3 "aux.jsp" DOS problem and a Tomcat 3. 3.1 release wrote: 

> So far the changes in 3.3 tree were only bug fixes and 
> what I've seen so far was pretty clear and simple - 
> I think the head of 3.3 is as good or better than 3.3.0. 

There were a few new features as well (at least STM pooling and 
SSLSessionID checks), but they should be either fairly safe (STM 
pooling) or turned off by default (SSLSessionID's). I agree that the 
current CVS version of 3.3 is better then the released 3.3. Many bugs 
have been fixed. 

> We could also take 3.3.0, replace tomcat_utils.jar 
> and label it 3.3.1  - and then in 2-3 weeks release 
> 3.3.2 with te head. 

Why don't we just say that due to recently discovered security issues, 
the release schedule has been changed and 3.3.1 is out with the latest 
security fixes. Then 3.3.2 gets released later in an orderly fashion. 

> But I'm +1 on whatever you choose. Let me know if/how 
> I can help - I don't have time but I could sleep less :-) 

I concur with Costin here. Your pick is +1. 


To unsubscribe, e-mail:   < <>
For additional commands, e-mail: < <>

View raw message