tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: [VOTE] Release build 6.0.25
Date Mon, 01 Mar 2010 10:07:27 GMT
2010/2/27 Konstantin Kolinko <knst.kolinko@gmail.com>:
> 2010/2/24 jean-frederic clere <jfclere@gmail.com>:
>> The candidates binaries are available here:
>> http://people.apache.org/~jfclere/tomcat-6/v6.0.25/
>>
>> According to the release process, the 6.0.25 tag is:
>> [x] Broken
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=48827
> Showstopper.
>

I should say that there is one more showstopper in 6.0.25:
the /findleaks command added to Manager webapp in 6.0.25 is not
covered by security constraints, thus enabling a DoS attack vector.

The fix for manager app web.xml is trivial and proposed in rev.917439.

Sorry for the inconvenience.

6.0.24 and trunk are not affected.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message