tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: Incorporating changes and compiling Tomcat
Date Wed, 28 Sep 2011 17:56:27 GMT
2011/9/28 Wilde, Bruce R. <>:
> So, what are security minded system administrators to do about
> mitigating CVE-2011-3190 against V6.0.33?
> From the
> not_yet_released) page
> "Mitigation options:
>        Upgrade to Tomcat 6.0.34. [Ed. What is the expected release
> date?]

or to 7.0.21

>        Apply the appropriate patch. [Ed. Patch provides 2 java source
> files; requiring a re-compilation]

man patch

svn help patch  (since Subversion 1.7)

Or apply it manually using your text editor of choice.

>        Configure both Tomcat and the reverse proxy to use a shared
> secret.

Read "configuration reference". Any Tomcat administrator should have
done so once.

>                ...
>        Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
> implementation.

The above one is the easiest. I would recommend it.
BTW, this is the connector implementation that is used by default when
you do not have "Tomcat-Native/APR" installed. That is what most users
are already using by default.

Regarding original question "how to build it":

There are
 - webapps/docs/building.html

in every release. What else is needed?

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message