tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Incorporating changes and compiling Tomcat
Date Wed, 28 Sep 2011 17:56:27 GMT
2011/9/28 Wilde, Bruce R. <BRUCE.R.WILDE@saic.com>:
> So, what are security minded system administrators to do about
> mitigating CVE-2011-3190 against V6.0.33?
>
> From the
> http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_(
> not_yet_released) page
>
> "Mitigation options:
>
>        Upgrade to Tomcat 6.0.34. [Ed. What is the expected release
> date?]

or to 7.0.21

>        Apply the appropriate patch. [Ed. Patch provides 2 java source
> files; requiring a re-compilation]

man patch

svn help patch  (since Subversion 1.7)

Or apply it manually using your text editor of choice.

>        Configure both Tomcat and the reverse proxy to use a shared
> secret.

Read "configuration reference". Any Tomcat administrator should have
done so once.

>                ...
>        Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
> implementation.

The above one is the easiest. I would recommend it.
BTW, this is the connector implementation that is used by default when
you do not have "Tomcat-Native/APR" installed. That is what most users
are already using by default.


Regarding original question "how to build it":

There are
 - BUILDING.txt
 - webapps/docs/building.html

in every release. What else is needed?


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message