Greg,
I was wrapping up the release last night and was releasing it today based on the
prior feedback. Can you provide some more details on the exposure? My
preference would be to release G 1.0 as is and fix this in 1.0.1. I need your
expert opinion of the exposure WRT to security.
There will always be something left to fix this will delay releasing about 1
week to allow for a new review of the code, re-certification, etc.
I see a few options at this point.
1. Continue with the release despite this information.
2. Hold the release until this can be fixed (which then also begs the question
of moving to the more recent Tomcat version with their fix for 0 content length
on POST requests). This will delay the release for at least one week.
3. Ship Geronimo with Tomcat and get 1.0 out the door. We ship with both Tomcat
and Jetty for 1.0.1 with this security fix inclued.
The security hole you've outlined sounds serious but I was wondering if its a
specific set of implementations that could be documented (ie. is this something
that someone just found and its a rather obscure config?)
Other input welcome. I'm going to complete getting the release ready but defer
punching the button until this afternoon (about 1500 PT).
Matt
Greg Wilkins wrote:
Sorry guys but
-1
I've just had a report of a security issue in Jetty that reveals the
contents of WEB-INF on win32 platforms. Happy f*&#ing new year!
I have a fix and will be making a release very shortly. To avoid any
other issues, I will probably roll back the other changes in HEAD so
only this fix will go in.
But if it really is too late to change the jetty version, then -0
regards
