tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <>
Subject Re: Proposed new security pages
Date Wed, 21 Feb 2007 02:14:42 GMT
Yoav Shapira wrote:
> Hi,
> On 2/20/07, Filip Hanik - Dev Lists <> wrote:
>> The consequence of this is that you are "advertising" a security
>> vulnerability to the world, and you are leaving your users with either
>> continue running a stable version that everyone knows how to exploit or
>> to upgrade to a non stable version.
>> Doesn't sound like a fair choice, does it?
> The first, and default choice for security-conscious users, is to
> apply the patch directly from SVN without even waiting for a release.
> This follows the practice httpd has been following for many years, and
> they document it well: see for example
> .
yes, I can see a few folks doing this. But I believe most folks still 
get the updated binaries from their distribution source.
for example, RedHat will apply the actual patch and rebuild for their 
distro, others will do the same.

> If someone is security-conscious, they should look at the SVN details
> that will be announced when we publish a vulnerability, and see for
> themselves whether they want to update or not.  If they do want to
> update, they'll do so immediately right from the source, and waiting
> for us to release, much less waiting for us to vote on a release, is
> spurious.
you assume that companies know how to "patch" a release, build etc.
some do, some don't. Some that do, still prefer to get a binary.
> In general, we can't assume the release following a security
> vulnerability announcement, x.y.(z+1) in your example, will be stable
> for a long long time, unless someone wants to do a release not from
> the trunk, but from the tag of the previous stable release.  That
> someone, e.g. you if you're interested, is welcome to do that work.
> But I think it's a waste of time because of the above source update
> option, and therefore shouldn't be our mandated practice.
> Also one other note: our putting a security vulnerability notice is
> not likely to be the first publication of such notice.  In most cases,
> the original person or entity who discovered the vulnerability will
> report it to such bodies as CVE, which are watched by a lot more
> people (good and bad) than the Tomcat mailing lists.
really, I was under the impression that most bodies that report a 
security issue,
will not publish until you OK them to do so.
For example, the security problem in the JDK, was reported over a year 
before Sun actually released the fix.
First when Sun had a JDK version available, was the vulnerability 
released. We're not talking weeks in this particular case, rather months.
And I would assume that most reporting bodies follow the same practices. 
Am I wrong?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message