On 22/12/2009 09:32, jean-frederic clere wrote: > On 12/21/2009 11:43 PM, Rainer Jung wrote: >> On 21.12.2009 22:36, jfcl...@apache.org wrote: >>> Author: jfclere >>> Date: Mon Dec 21 21:36:07 2009 >>> New Revision: 892991 >>> >>> URL: http://svn.apache.org/viewvc?rev=892991&view=rev >>> Log: >>> Only update the build file that doesn't change the minimum tcnative >>> version required in the source. >>> The minimum version is in >>> java/org/apache/catalina/core/AprLifecycleListener.java >>> >>> Modified: >>> tomcat/tc6.0.x/trunk/STATUS.txt >>> tomcat/tc6.0.x/trunk/build.properties.default >>> tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml >> >> >>> Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml >>> URL: >>> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=892991&r1=892990&r2=892991&view=diff >>> >>> >>> ============================================================================== >>> >>> >>> --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) >>> +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Dec 21 >>> 21:36:07 2009 >>> @@ -33,11 +33,11 @@ >>> </properties> >>> >>> <body> >>> -<section name="Tomcat 6.0.21 (remm)"> >>> +<section name="Tomcat 6.0.21 (jfclere)"> >>> <subsection name="Catalina"> >>> <changelog> >>> <update> >>> - Update required version for native to 1.1.17. (rjung) >>> + Update required version for native to 1.1.18. (rjung, kkolinko) >>> </update> >>> <fix> >>> Fix issues with expression language when running under a >> >> Just in case we find something reaqlly broken, I'd say this changelog >> item should be reverted to it's 1.1.17 state. We use 1.1.18 only for our >> own builds, like the bundles tcnative on windows, bot we do *not* >> require it for Tomcat itself - which this changelog is for. So 1.1.18 >> used for the windows binary could go into a release notes file. > > 1.1.17 is vulnerable to CVE-2009-3555, 1.1.18 prevents it at least for > the client initiated renegotiations.
The issue isn't which version we ship (I agree we should ship 1.1.18) but which version we *require* as the minimum. This tests in the code look for a minimum of 1.1.17 (and I think it should stay like this) and the changelog should reflect this. Two entries would probably make this clearer. E.g.: - Update minimum required version for native to 1.1.17. - Update bundled version of native to 1.1.18. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org