tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat issue (Solaris 10)
Date Wed, 07 Sep 2011 22:38:55 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amit,

On 9/7/2011 2:30 PM, Anand, Amit (Contractor) wrote:
> Kinda new to tomcat but have a couple quick questions which came
> up regarding CVE-2011-3109 (Bug 51698).
> 
> Any timeline to when stable release of 6.0.34 is supposed to be 
> released?

Officially, it's "ready when it's ready". Given that this is
classified as an "important" fix, I suspect that 6.0.34 will have a
small lag time since 6.0.33 than 6.0.33 did from 6.0.32 (which was
about 6.5 months).

> Also what does "in trunk" specifically mean? Does that mean if I
> download say version 6.0.29 as of now, it will have the fix?

Certainly not. What it means is that it will appear in the next
release of the 6.0.x line of Tomcats which should be 6.0.34.

I've been trying to determine if using an AJP "secret" will thwart
this kind of attack. I suspect it will, but I can't get my TC to take
a secret just now (see my post under separate cover).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5n8n8ACgkQ9CaO5/Lv0PC0awCeKRgoizbiaG/QZOowZfVnTXCC
1WIAnjJG5/G1ptQOdlLlpqL6ClKCBBzx
=Rrgh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message