tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Savard <daniel.sav...@gmail.com>
Subject Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
Date Wed, 25 May 2016 23:34:42 GMT
2016-05-25 13:42 GMT-04:00 Mark Thomas <markt@apache.org>:
(...)

> For example, this issue only applies if you are using JMX/RMI. If you
> are, it is likely to be a significant risk. If you aren't, it won't
> affect you. One of the reasons I published that blog post was to provide
> folks with the information they need to figure out whether this affects
> them or not.
>
> Mark
>

In doubt, I usually prefer to upgrade to latest version. I see no reason to
stick to a lower version unless a specific bug is know and has been
introduced into the latest version.

-----------------
Daniel Savard

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message