Author: rjung
Date: Sat Dec 19 16:34:06 2009
New Revision: 892484
URL: http://svn.apache.org/viewvc?rev=892484&view=rev
Log:
Vote and comment.
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=892484&r1=892483&r2=892484&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Sat Dec 19 16:34:06 2009
@@ -37,20 +37,20 @@
It is updated version of Mark's patch,
where the new method in JAASRealm calls the old one.
http://people.apache.org/~kkolinko/patches/2009-11-02_bug39231.patch
- +1: kkolinko, markt
+ +1: kkolinko, markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39844
Port r588477 (fix for #43668) by billbarker that corrected this for Tomcat 6
http://people.apache.org/~markt/patches/2009-07-11-bug39844.patch
- +1: markt, kkolinko
+ +1: markt, kkolinko, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43327
Port from 6.0.x
Required to investigate 39997
http://people.apache.org/~markt/patches/2009-07-12-apr-ipv6.patch
- +1: markt, kkolinko
+ +1: markt, kkolinko, rjung
-1:
* Minor cleanups for AccessLogValve classes
@@ -82,7 +82,7 @@
Note: Patch cannot be applied until tc-native 1.1.17 has been released
since it depends on a new native method
http://svn.apache.org/viewvc?rev=815418&view=rev
- +1: markt, mturk
+ +1: markt, mturk, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47878
@@ -115,13 +115,14 @@
There are two patches to be applied:
1) Make WebappClassLoader to do not swallow AccessControlException
http://svn.apache.org/viewvc?rev=831828&view=rev
- +1: kkolinko, markt
+ +1: kkolinko, markt, rjung
-1:
2) Add a new PrivilegedAction. Patch by markt
http://svn.apache.org/viewvc?rev=834080&view=rev
- +1: kkolinko, markt
+ +1: kkolinko, markt, rjung
-1:
+ rjung: minus generics
3) Remove use of WebappClassLoader$PrivilegedFindResource,
because all findResourceInternal(String,String) calls are now already
@@ -130,12 +131,12 @@
(to fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097#c13
)
http://people.apache.org/~kkolinko/patches/2009-11-12_PrivilegedFindResource_tc6.patch
- +1: kkolinko, markt
+ +1: kkolinko, markt, rjung
-1:
* Include root cause exception into the one produced by
ApplicationContextFacade#doPrivileged()
http://svn.apache.org/viewvc?rev=831819&view=rev
- +1: kkolinko, markt
+ +1: kkolinko, markt, rjung
-1:
* Fix CVE-2009-3548 - Windows installer uses insecure default password
@@ -156,7 +157,7 @@
* Align server.xml installed by .exe installer with the one bundled in
zip/tgz archives
http://people.apache.org/~kkolinko/patches/2009-11-15_Installer_serverxml_tc55.patch
- +1: kkolinko, markt
+ +1: kkolinko, markt, rjung
-1:
* Single quote should be not be treated as a separator
@@ -167,12 +168,12 @@
* Implement https://issues.apache.org/bugzilla/show_bug.cgi?id=37847
Make location and filename of catalina.out configurable in catalina.sh
http://svn.apache.org/viewvc?rev=881088&view=rev
- +1: kkolinko, markt
+ +1: kkolinko, markt, rjung
-1:
* Update to commons-pool 1.5.4
http://svn.apache.org/viewvc?rev=881412&view=rev
- +1: markt, kkolinko
+ +1: markt, kkolinko, rjung
-1:
* Provide new option to allow = in cookie values
@@ -182,10 +183,10 @@
* Alternative fix for CVE-2009-3555 SSL MITN
The current patch uses an async callback to close the socket. It is
- technically possible an attack may suceed before the socket is closed
- The new patch only logs failed server initiated negotiations
+ technically possible an attack may succeed before the socket is closed
+ The new patch only logs failed server initiated negotiations.
http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch
- +1: markt
+ +1: markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47609
@@ -199,73 +200,76 @@
Correct file descriptor leak on context stop/reload
Patch provided by George Sexton
http://svn.apache.org/viewvc?rev=883130&view=rev
- +1: markt
+ +1: markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47997
Process changes for all naming contexts, not just the global one
http://svn.apache.org/viewvc?rev=883134&view=rev
- +1: markt
+ +1: markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47554
httpOnly flag not applied to migrated session cookie
- https://issues.apache.org/bugzilla/show_bug.cgi?id=47554
- +1: markt
+ http://svn.apache.org/viewvc?rev=891304&view=rev
+ +1: markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48049
Fix copy and paste error and call correct function
Patch provided by gingyang.xu
http://svn.apache.org/viewvc?rev=883177&view=rev
- +1: markt
+ +1: markt, rjung
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48300
+* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48311
Only the APR lifecycle listener should try and initialise APR
Patch also syncs all APR lifecycle listener changes from 6.0.x to 5.5.x
http://people.apache.org/~markt/patches/2009-11-27-bug48300-tc5.patch
- +1: markt
+ +1: markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47537
- Return an error page rather than a zero length 200 reposne if the forward to
+ Return an error page rather than a zero length 200 response if the forward to
the login or error page fails during FORM authentication
http://svn.apache.org/viewvc?rev=889606&view=rev
- +1: markt
+ +1: markt, rjung
-1:
* Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Prevent session fixation by changing session ID on authentication by default
If you don't like the session ID changing by default, feel free to caveat
your
- vote. If there is suggicient support for the patch but insufficient support
+ vote. If there is sufficient support for the patch but insufficient support
for changing the ID by default I'll apply the patch with the default set to
not change the session ID
http://svn.apache.org/viewvc?rev=889716&view=rev
- +1: markt
+ +1: markt, rjung
-1:
+ rjung: I'd prefer off by default, because 5.5 is assumed to be very stable,
+ and changing by default can break things like e.g. existing profiles for
+ automated stress testing.
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47689
Enable the test Ant target to work
https://issues.apache.org/bugzilla/attachment.cgi?id=24704
- +1: markt
+ +1: markt, rjung
-1:
* Pre-load class required to obtain SSL key size if running under a security
manager
http://svn.apache.org/viewvc?rev=890349&view=rev
- +1: markt
+ +1: markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47744
Prevent medium term memory leak if using SSL under a security manager
Based on a patch by Greg Vanore
http://svn.apache.org/viewvc?rev=890350&view=rev
- +1: markt
+ +1: markt, rjung
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47963
Ensure HTTP header values meet the requirements of RFC2616
http://svn.apache.org/viewvc?rev=892293&view=rev
- +1: markt
+ +1: markt, rjung
-1:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
