From users-return-194132-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Wed Apr 01 15:32:13 2009 Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 10442 invoked from network); 1 Apr 2009 15:32:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 1 Apr 2009 15:32:11 -0000 Received: (qmail 8043 invoked by uid 500); 1 Apr 2009 15:32:06 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 8020 invoked by uid 500); 1 Apr 2009 15:32:06 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 8007 invoked by uid 99); 1 Apr 2009 15:32:05 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Apr 2009 15:32:05 +0000 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of rc46fi@googlemail.com designates 209.85.128.191 as permitted sender) Received: from [209.85.128.191] (HELO fk-out-0910.google.com) (209.85.128.191) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Apr 2009 15:31:56 +0000 Received: by fk-out-0910.google.com with SMTP id f40so46759fka.0 for ; Wed, 01 Apr 2009 08:31:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=2CeIGsT4EcxmYBW/fPAHXdNFFDBIwokC9Az6sWQLbgA=; b=tj6SE7xy+qeAjnnxWbhGRPpK3x+ymiNMpNqw5mMogSfV4dbEc1YcnxC+x4AwHaRZLG EQy8i+rCBEhT33sTiAW5IcxWm4IsQsODltem/v+ADnAfmmAfFF/37dG293ZZQGo+HTSC NRhYWZkFwVL4eX4dkCRH8MOjBDY0mcNCRIsmA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=L1Y+RFLuI7DM5gl4dTT8kZVwdajCZ+SDkxoF2qTfQM56RqGPMb6q8nJJkIFcgIHh7W F7jUgel5vJZZvKi97YzOxLenb2kgTHPhQjrCxFZT9ELuZ1K9RH1dzrhmb3lR3WwUrfZb Rhx/zHM+fgZ1bqt5KcNoaZSLSgaMLEvUezzAI= MIME-Version: 1.0 Received: by 10.204.52.5 with SMTP id f5mr2825276bkg.203.1238599894784; Wed, 01 Apr 2009 08:31:34 -0700 (PDT) In-Reply-To: <6715CF65287F8F408DA109EC03AC6C0DA14B6EDCF8@puma.melandra.net> References: <396937.74369.qm@web26203.mail.ukl.yahoo.com> <760618.247057.1238589755669.JavaMail.www@wwinf1502> <0AAE5AB84B013E45A7B61CB66943C17215E6D9BF7B@USEA-EXCH7.na.uis.unisys.com> <22827189.post@talk.nabble.com> <6715CF65287F8F408DA109EC03AC6C0DA14B6EDCF4@puma.melandra.net> <6715CF65287F8F408DA109EC03AC6C0DA14B6EDCF8@puma.melandra.net> Date: Wed, 1 Apr 2009 17:31:34 +0200 Message-ID: Subject: Re: redirection From: Gregor Schneider To: Tomcat Users List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Peter, On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther wrote: > And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat. > > I'd also be very interested to see the evidence (either way) on that. > See, I believe in the statement that the more components you're adding to an environment, the more possibilities there are for a security-hole. However, to believe is not to know... However, when I check full-disclosure and other security-lists, I see few issues referring to Tomcat, but I see quite some issues referring to HTTPD and it's modules. I guess if you're once able to break HTTPD and found your way into the box, harm is on it's way. I further /believe/ that from this point it makes sense to use as few components as possible. Anyhow, that's what I believe, not what I know. Cheers Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org