tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: Incorporating changes and compiling Tomcat
Date Wed, 28 Sep 2011 22:31:37 GMT
On 28/09/2011 18:44, Wilde, Bruce R. wrote:
> So, what are security minded system administrators to do about
> mitigating CVE-2011-3190 against V6.0.33?
> 
> From the
> http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_(
> not_yet_released) page
> 
> "Mitigation options:
> 
> 	Upgrade to Tomcat 6.0.34. [Ed. What is the expected release
> date?]
> 	Apply the appropriate patch. [Ed. Patch provides 2 java source
> files; requiring a re-compilation]
> 	Configure both Tomcat and the reverse proxy to use a shared
> secret.
> 		... 
> 	Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
> implementation.
> 		...
> "


It's a fair question, and you do provide answers - but those are aimed
at a specific problem.

This may be appropriate, but the OP did not declare their interest and
we do sometimes have people asking how to compile in Tomcat patches
because they misunderstand the release protocol/process.

Details matter: it's fair to challenge the question and provide a range
of answers if the subject is unclear IMO.


p





Mime
View raw message