Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
On 11/08/2015 20:03, Christopher Schultz wrote: > Chinoy, > > On 8/8/15 10:47 AM, Chinoy Gupta wrote: >> Is the trunk stable? > > Fairly. But there is a tag for 1.2.41 if you'd rather use that. It's > not yet an official ASF release, though. But it does have 3 +1 binding votes to release and it is going to be official later today or tomorrow. Details on the dev list until the official announcement. Mark > > -chris > >> On Sat, Aug 08, 2015 at 5:42 pm, Christopher Schultz >> mailto:ch...@christopherschultz.net>> >> wrote: > > >> Chinoy, > >> On 8/5/15 4:39 AM, Chinoy Gupta wrote: >>> When can we expect the release of JK 1.2.41 source code? > >> Well, you can get your hands on it right now: svn trunk is always >> available. > >> Or you can wait for the vote to finish... I believe we have 3 votes >> to release. > >> http://tomcat.markmail.org/thread/evury5r6rwcls5df > >> -chris > >>> -Original Message----- From: Mark Thomas >>> [mailto:ma...@apache.org] Sent: Sunday, July 26, 2015 10:16 PM >>> To: Tomcat Users List Subject: Re: AW: >>> Question concerning mod_jk Security Fix CVE-2014-8111 > >>> On 20/07/2015 10:58, Kreuser, Peter wrote: > >>> > >>>> Hi Mark, >>>> >>>> I appreciate your open comment and that clarifies the lengthy >>>> wait. I trust that now the solution gets going and will be >>>> solved soonish. >>>> >>>> I'm in no position to criticize any wrongdoing on this CVE. I >>>> only hope to find a clearer communication on the >>>> tomcat-security sites in the future and if THAT is RedHat's >>>> fault, then please clean up the process with them. > >>> I've just updated the JK security page on the Tomcat web site. > >>> To be clear, keeping this page up to date is entire the >>> responsibility of the Tomcat committers. We dropped the ball on >>> this one. That said, I had hoped - much like I hoped with the >>> release - that RedHat would have directed one of their employees >>> who is a committer to do the update. When that didn't happen >>> pretty much immediately, we (the Tomcat committers) should have >>> done it. > >>> I've read through the release docs and I should be able to get a >>> 1.2.41 source release out. I'm planning on doing that next. >>> Binary releases are going to have to wait for other folks to >>> contribute them. > >>> Cheers, > >>> Mark > >>>> Thank You. Best regards, >>>> >>>> Peter >>>> >>>> PS: is that the correct position to add my response? > >>> Yes, it was. > >>> - > >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >>> - > >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chinoy, On 8/8/15 10:47 AM, Chinoy Gupta wrote: > Is the trunk stable? Fairly. But there is a tag for 1.2.41 if you'd rather use that. It's not yet an official ASF release, though. - -chris > On Sat, Aug 08, 2015 at 5:42 pm, Christopher Schultz > mailto:ch...@christopherschultz.net>> > wrote: > > > Chinoy, > > On 8/5/15 4:39 AM, Chinoy Gupta wrote: >> When can we expect the release of JK 1.2.41 source code? > > Well, you can get your hands on it right now: svn trunk is always > available. > > Or you can wait for the vote to finish... I believe we have 3 votes > to release. > > http://tomcat.markmail.org/thread/evury5r6rwcls5df > > -chris > >> -Original Message- From: Mark Thomas >> [mailto:ma...@apache.org] Sent: Sunday, July 26, 2015 10:16 PM >> To: Tomcat Users List Subject: Re: AW: >> Question concerning mod_jk Security Fix CVE-2014-8111 > >> On 20/07/2015 10:58, Kreuser, Peter wrote: > >> > >>> Hi Mark, >>> >>> I appreciate your open comment and that clarifies the lengthy >>> wait. I trust that now the solution gets going and will be >>> solved soonish. >>> >>> I'm in no position to criticize any wrongdoing on this CVE. I >>> only hope to find a clearer communication on the >>> tomcat-security sites in the future and if THAT is RedHat's >>> fault, then please clean up the process with them. > >> I've just updated the JK security page on the Tomcat web site. > >> To be clear, keeping this page up to date is entire the >> responsibility of the Tomcat committers. We dropped the ball on >> this one. That said, I had hoped - much like I hoped with the >> release - that RedHat would have directed one of their employees >> who is a committer to do the update. When that didn't happen >> pretty much immediately, we (the Tomcat committers) should have >> done it. > >> I've read through the release docs and I should be able to get a >> 1.2.41 source release out. I'm planning on doing that next. >> Binary releases are going to have to wait for other folks to >> contribute them. > >> Cheers, > >> Mark > >>> Thank You. Best regards, >>> >>> Peter >>> >>> PS: is that the correct position to add my response? > >> Yes, it was. > >> - > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> - > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVykcAAAoJEBzwKT+lPKRYCcwP/3VYNR7MjvEre/is4R3X4nIS WXyXLTDZv17XiHnmKqO6xxvVmZmApYyhnbAotoTpWuruvreundZSBWG/b/EBn9vM pujHrh3H1fbgTND8m8uw93TAQDuZC9j4WpYWtM4Wi8GiSl56eMMKDdpCI1Qizm3m 3JFXH1J7Ae2GDCfqcs99k1CNAhaUM4vuhifWC4QDCv1LOpimw9zgeIsGkvBGjpeQ foxsSScs9c7HNHG4YrBn4kUmpAoxjotZuFfdytVHw9DvhXrLekNey/Me12ScO+H2 wYX7BDgUy5bP1C79Oa4ZmQdakIK8AADOxvZ8r2HCz0HP7yfTcJlBS38OyEY/ydZo RM6cbgub1gcz5G4MIzCtC4u3auHuseY4jf4I08UH+BIeXCfLhvjlMKwGs4x0gsue xvDG6HGrC57kcrI5XEy9EqtP4EWC4Jf02qDVP5D0ZC1a8QpFif959wek4ggsrXPJ sLuX9NH1iIujhwueKRFLMUXepDUrMHMaEulm5bq3ooujuxymkoCjZgSnjtP2HH2b sbaD5YpZEFGmxkNSGALM/qJ7s7VQxASmy8Ts/xvJrDrythRbUScBp4F+ht6dbpKz HOShn1G6O/VnhvqaFdjM1l0cz90GMJD+jgoRILELRBbAToVSdnXtGhyy6zcxQZoA 44ykdrhWQrf0mWkmB0Vr =n7w0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Am 8. August 2015 14:11:11 MESZ, schrieb Christopher Schultz : >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 > >Chinoy, > >On 8/5/15 4:39 AM, Chinoy Gupta wrote: >> When can we expect the release of JK 1.2.41 source code? > >Well, you can get your hands on it right now: svn trunk is always >available. +1 > >Or you can wait for the vote to finish... I believe we have 3 votes to >release. But only two of them are binding. Sorry, Felix > >http://tomcat.markmail.org/thread/evury5r6rwcls5df > >- -chris > >> -Original Message- From: Mark Thomas >> [mailto:ma...@apache.org] Sent: Sunday, July 26, 2015 10:16 PM To: >> Tomcat Users List Subject: Re: AW: >> Question concerning mod_jk Security Fix CVE-2014-8111 >> >> On 20/07/2015 10:58, Kreuser, Peter wrote: >> >> >> >>> Hi Mark, >>> >>> I appreciate your open comment and that clarifies the lengthy >>> wait. I trust that now the solution gets going and will be solved >>> soonish. >>> >>> I'm in no position to criticize any wrongdoing on this CVE. I >>> only hope to find a clearer communication on the tomcat-security >>> sites in the future and if THAT is RedHat's fault, then please >>> clean up the process with them. >> >> I've just updated the JK security page on the Tomcat web site. >> >> To be clear, keeping this page up to date is entire the >> responsibility of the Tomcat committers. We dropped the ball on >> this one. That said, I had hoped - much like I hoped with the >> release - that RedHat would have directed one of their employees >> who is a committer to do the update. When that didn't happen pretty >> much immediately, we (the Tomcat committers) should have done it. >> >> I've read through the release docs and I should be able to get a >> 1.2.41 source release out. I'm planning on doing that next. Binary >> releases are going to have to wait for other folks to contribute >> them. >> >> Cheers, >> >> Mark >> >>> Thank You. Best regards, >>> >>> Peter >>> >>> PS: is that the correct position to add my response? >> >> Yes, it was. >> >> - >> >> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> - >> >> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >-BEGIN PGP SIGNATURE- >Comment: GPGTools - http://gpgtools.org > >iQIcBAEBCAAGBQJVxfHfAAoJEBzwKT+lPKRYPy8P/jN1cMPMQNXF7HCL9x9VC2o0 >MoQK05eZ1EKj/hdI94kxr1Zz9tfFkm3Ud2XgMLIwexTpSwuIfkMRh4QREHGuAojO >sCzufygPc6Yb8Tf+HNDCi6GEqJy1SGB3inM4glgKWxuDugh+f8Kl+ZOKFBkeHeYV >Tjo900rLdQotxHI+RzUK/74Jua/He8Dtlne4XFoiCfpmqfIzwRtNmWJ2N9gWYpCn >fcpbQ0S4Hqw7YH6gzutDSgWiT/vlftx/5ynX9ybgSSFqVLsGmIxoTJMSot8/Rv0R >BlumYGTMfvf+NhzwCJSPab3xzcQsdYp8ObucuQp4FfKzh2i2R1VuT+cxZcuG04aT >69pE61DY6QOZUz6n8gCpzEaNTIYSA13ktS7qQQN1L2ik0HwapLaAx+xaIP7h58B1 >yS6Q2N8Lm2k5UOqIEO+Nev6ZwnYHLIb7rdllpJiia+4t9eLfFrMWE/It8Tg9WE7q >t+wi0YFZDV8iB4c/2IBSN2xEUBcasUzfj2M0QOPVkNblPVtKkH0C9tqzukPLXRG2 >VMtgpZwk1QWAPTi3Ghl1aKzhgvjGvzrrFfsLgxQDz4blg8TAzxuV1hn6pMUQxnsd >luxCMprIXUt5IL2UJejGnqLKKWUkXCuC0anxV9yQTMGWNr9CZlVKVJYEALPUJOLC >u5RWsrWcctsQauIZJQg0 >=GPIs >-END PGP SIGNATURE- > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Chris, Is the trunk stable? Regards, Chinoy On Sat, Aug 08, 2015 at 5:42 pm, Christopher Schultz mailto:ch...@christopherschultz.net>> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chinoy, On 8/5/15 4:39 AM, Chinoy Gupta wrote: > When can we expect the release of JK 1.2.41 source code? Well, you can get your hands on it right now: svn trunk is always available. Or you can wait for the vote to finish... I believe we have 3 votes to release. http://tomcat.markmail.org/thread/evury5r6rwcls5df - -chris > -Original Message- From: Mark Thomas > [mailto:ma...@apache.org] Sent: Sunday, July 26, 2015 10:16 PM To: > Tomcat Users List Subject: Re: AW: > Question concerning mod_jk Security Fix CVE-2014-8111 > > On 20/07/2015 10:58, Kreuser, Peter wrote: > > > >> Hi Mark, >> >> I appreciate your open comment and that clarifies the lengthy >> wait. I trust that now the solution gets going and will be solved >> soonish. >> >> I'm in no position to criticize any wrongdoing on this CVE. I >> only hope to find a clearer communication on the tomcat-security >> sites in the future and if THAT is RedHat's fault, then please >> clean up the process with them. > > I've just updated the JK security page on the Tomcat web site. > > To be clear, keeping this page up to date is entire the > responsibility of the Tomcat committers. We dropped the ball on > this one. That said, I had hoped - much like I hoped with the > release - that RedHat would have directed one of their employees > who is a committer to do the update. When that didn't happen pretty > much immediately, we (the Tomcat committers) should have done it. > > I've read through the release docs and I should be able to get a > 1.2.41 source release out. I'm planning on doing that next. Binary > releases are going to have to wait for other folks to contribute > them. > > Cheers, > > Mark > >> Thank You. Best regards, >> >> Peter >> >> PS: is that the correct position to add my response? > > Yes, it was. > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVxfHfAAoJEBzwKT+lPKRYPy8P/jN1cMPMQNXF7HCL9x9VC2o0 MoQK05eZ1EKj/hdI94kxr1Zz9tfFkm3Ud2XgMLIwexTpSwuIfkMRh4QREHGuAojO sCzufygPc6Yb8Tf+HNDCi6GEqJy1SGB3inM4glgKWxuDugh+f8Kl+ZOKFBkeHeYV Tjo900rLdQotxHI+RzUK/74Jua/He8Dtlne4XFoiCfpmqfIzwRtNmWJ2N9gWYpCn fcpbQ0S4Hqw7YH6gzutDSgWiT/vlftx/5ynX9ybgSSFqVLsGmIxoTJMSot8/Rv0R BlumYGTMfvf+NhzwCJSPab3xzcQsdYp8ObucuQp4FfKzh2i2R1VuT+cxZcuG04aT 69pE61DY6QOZUz6n8gCpzEaNTIYSA13ktS7qQQN1L2ik0HwapLaAx+xaIP7h58B1 yS6Q2N8Lm2k5UOqIEO+Nev6ZwnYHLIb7rdllpJiia+4t9eLfFrMWE/It8Tg9WE7q t+wi0YFZDV8iB4c/2IBSN2xEUBcasUzfj2M0QOPVkNblPVtKkH0C9tqzukPLXRG2 VMtgpZwk1QWAPTi3Ghl1aKzhgvjGvzrrFfsLgxQDz4blg8TAzxuV1hn6pMUQxnsd luxCMprIXUt5IL2UJejGnqLKKWUkXCuC0anxV9yQTMGWNr9CZlVKVJYEALPUJOLC u5RWsrWcctsQauIZJQg0 =GPIs -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chinoy, On 8/5/15 4:39 AM, Chinoy Gupta wrote: > When can we expect the release of JK 1.2.41 source code? Well, you can get your hands on it right now: svn trunk is always available. Or you can wait for the vote to finish... I believe we have 3 votes to release. http://tomcat.markmail.org/thread/evury5r6rwcls5df - -chris > -Original Message- From: Mark Thomas > [mailto:ma...@apache.org] Sent: Sunday, July 26, 2015 10:16 PM To: > Tomcat Users List Subject: Re: AW: > Question concerning mod_jk Security Fix CVE-2014-8111 > > On 20/07/2015 10:58, Kreuser, Peter wrote: > > > >> Hi Mark, >> >> I appreciate your open comment and that clarifies the lengthy >> wait. I trust that now the solution gets going and will be solved >> soonish. >> >> I'm in no position to criticize any wrongdoing on this CVE. I >> only hope to find a clearer communication on the tomcat-security >> sites in the future and if THAT is RedHat's fault, then please >> clean up the process with them. > > I've just updated the JK security page on the Tomcat web site. > > To be clear, keeping this page up to date is entire the > responsibility of the Tomcat committers. We dropped the ball on > this one. That said, I had hoped - much like I hoped with the > release - that RedHat would have directed one of their employees > who is a committer to do the update. When that didn't happen pretty > much immediately, we (the Tomcat committers) should have done it. > > I've read through the release docs and I should be able to get a > 1.2.41 source release out. I'm planning on doing that next. Binary > releases are going to have to wait for other folks to contribute > them. > > Cheers, > > Mark > >> Thank You. Best regards, >> >> Peter >> >> PS: is that the correct position to add my response? > > Yes, it was. > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVxfHfAAoJEBzwKT+lPKRYPy8P/jN1cMPMQNXF7HCL9x9VC2o0 MoQK05eZ1EKj/hdI94kxr1Zz9tfFkm3Ud2XgMLIwexTpSwuIfkMRh4QREHGuAojO sCzufygPc6Yb8Tf+HNDCi6GEqJy1SGB3inM4glgKWxuDugh+f8Kl+ZOKFBkeHeYV Tjo900rLdQotxHI+RzUK/74Jua/He8Dtlne4XFoiCfpmqfIzwRtNmWJ2N9gWYpCn fcpbQ0S4Hqw7YH6gzutDSgWiT/vlftx/5ynX9ybgSSFqVLsGmIxoTJMSot8/Rv0R BlumYGTMfvf+NhzwCJSPab3xzcQsdYp8ObucuQp4FfKzh2i2R1VuT+cxZcuG04aT 69pE61DY6QOZUz6n8gCpzEaNTIYSA13ktS7qQQN1L2ik0HwapLaAx+xaIP7h58B1 yS6Q2N8Lm2k5UOqIEO+Nev6ZwnYHLIb7rdllpJiia+4t9eLfFrMWE/It8Tg9WE7q t+wi0YFZDV8iB4c/2IBSN2xEUBcasUzfj2M0QOPVkNblPVtKkH0C9tqzukPLXRG2 VMtgpZwk1QWAPTi3Ghl1aKzhgvjGvzrrFfsLgxQDz4blg8TAzxuV1hn6pMUQxnsd luxCMprIXUt5IL2UJejGnqLKKWUkXCuC0anxV9yQTMGWNr9CZlVKVJYEALPUJOLC u5RWsrWcctsQauIZJQg0 =GPIs -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AW: Question concerning mod_jk Security Fix CVE-2014-8111
Hi, When can we expect the release of JK 1.2.41 source code? Regards, Chinoy -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, July 26, 2015 10:16 PM To: Tomcat Users List Subject: Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111 On 20/07/2015 10:58, Kreuser, Peter wrote: > Hi Mark, > > I appreciate your open comment and that clarifies the lengthy wait. I > trust that now the solution gets going and will be solved soonish. > > I'm in no position to criticize any wrongdoing on this CVE. I only > hope to find a clearer communication on the tomcat-security sites in > the future and if THAT is RedHat's fault, then please clean up the > process with them. I've just updated the JK security page on the Tomcat web site. To be clear, keeping this page up to date is entire the responsibility of the Tomcat committers. We dropped the ball on this one. That said, I had hoped - much like I hoped with the release - that RedHat would have directed one of their employees who is a committer to do the update. When that didn't happen pretty much immediately, we (the Tomcat committers) should have done it. I've read through the release docs and I should be able to get a 1.2.41 source release out. I'm planning on doing that next. Binary releases are going to have to wait for other folks to contribute them. Cheers, Mark > Thank You. Best regards, > > Peter > > PS: is that the correct position to add my response? Yes, it was. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Question concerning mod_jk Security Fix CVE-2014-8111
On 20/07/2015 10:58, Kreuser, Peter wrote: > Hi Mark, > > I appreciate your open comment and that clarifies the lengthy wait. I > trust that now the solution gets going and will be solved soonish. > > I'm in no position to criticize any wrongdoing on this CVE. I only > hope to find a clearer communication on the tomcat-security sites in > the future and if THAT is RedHat's fault, then please clean up the > process with them. I've just updated the JK security page on the Tomcat web site. To be clear, keeping this page up to date is entire the responsibility of the Tomcat committers. We dropped the ball on this one. That said, I had hoped - much like I hoped with the release - that RedHat would have directed one of their employees who is a committer to do the update. When that didn't happen pretty much immediately, we (the Tomcat committers) should have done it. I've read through the release docs and I should be able to get a 1.2.41 source release out. I'm planning on doing that next. Binary releases are going to have to wait for other folks to contribute them. Cheers, Mark > Thank You. Best regards, > > Peter > > PS: is that the correct position to add my response? Yes, it was. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Question concerning mod_jk Security Fix CVE-2014-8111
> -Ursprüngliche Nachricht- > Von: Mark Thomas [mailto:ma...@apache.org] > Gesendet: Freitag, 17. Juli 2015 12:33 > An: Tomcat Users List > Betreff: Re: Question concerning mod_jk Security Fix CVE-2014-8111 > > On 16/07/2015 13:16, Kreuser, Peter wrote: > > Please let me repeat my question from June 6th: > > > > Why is this CVE still not addressed in "Apache Tomcat JK Connectors > > vulnerabilities" http://tomcat.apache.org/security-jk.html? > > > > http://www.cvedetails.com/cve/CVE-2014-8111/ > > I'm a project committer but this is my personal view. It is not an > official project view. > > The information on that CVE was leaked by RedHat's security team when > they broke embargoes associated with two Tomcat security vulnerabilities > that they had been informed of in advance and in confidence. (There were > also errors in the information they leaked about the other vulnerability > that made it appear to be much worse than it actually is.) > > To be clear, the Tomcat committers who are employed by RedHat were in no > way responsible for the leaking of this information. The leak was > entirely the fault of the RedHat security team. > > The mod_jk releases involve producing a large number of Windows binaries > and experience with tc-native suggests that figuring out the build > process - even with the available documentation - will be non-trivial. > To give you an idea of what is likely to be involved, compare the > documented build instructions for tc-native on Windows [1] with what is > actually required to produce a release [2]. > > Co-coincidently, the committers who typically handle the mod_jk releases > are RedHat employees. > > Given all the above, I personally have little desire to dedicate a large > chunk of my time figuring out the mod_jk build process so I can clear up > the mess created by RedHat's security team. I'm not against spending the > time to better document the mod_jk build process (like I did for > tc-native) but that isn't a priority for me right now. > > I had hoped that, given that the mess is of RedHat's making, that RedHat > would have directed one if its emmployees who is familiar with the > mod_jk build process to spend the time necessary to produce a new mod_jk > release. That hasn't happened. > > I hadn't realised - until I looked into it as a result of your e-mail - > how long it has been since RedHat leaked this confidential information. > It is looking increasingly like one of the Tomcat committers is going to > have to clean up RedHat's mess for them. > > I'm not going to be in a position to do anything to fix this until week > beginning 27th July but if nothing has been done by then I'll see what I > can do. > > > If I do end up having to clear up this mess I'll be even more annoyed > with RedHat's security team than I am already. I don't actually mind > that much that a mistake was made. We all make mistakes and I have made > very similar mistakes in the past. What annoys me about this - and I get > more annoyed the longer this goes on - is that after RedHat realised > they had leaked vulnerability information and that some of the > information they had leaked as incorrect RedHat have not (to my knowledge): > - publicly stated some of the leaked information was incorrect; > - publicly corrected the errors in the information they did leak; > - publicly apologised for leaking the information (they have apologised > in private so this is less of an issue); > - done anything to help clear up the mess such as directing their > employees who are Tomcat committers to help with the various releases > that became more urgent as a result of these leaks. > > It is this last point that particularly annoys me. > > It bears repeating here that the RedHat employees who are committers are > in no way responsible for this mess. It just so happens that they are > best placed to clean it up. > > > I know this doesn't give you the release you need but hopefully you'll > at least have a better understanding of how we ended up where we are and > you do have my assurance that I'll look into this (with no guarantee > I'll be able to produce the release) in just over a week if no-one beats > me to it. > > Note you do have the option of building from trunk. I'm not aware of > anything that needs fixing in mod_jk before the next release so the > chances are that a build from the current trunk is going to be very > close to a 1.2.41 release. > > Mark > > > [1] http://tomcat.apache.org/native-doc/ > [2] http://wiki.apache.org/tomcat/BuildTcNativeWin > > > > > > > > > - > > Hi, > > > > could you please tell us, when the fixed mod_jk-Version 1.2.41 will be > > publicly available? > > > > The webpage does not mention any vulnerability at all, plus no newer > > release than the vulnerable 1.2.40. > > > > For now RedHat mentions only the fix to the source code from December 2014. > > http://svn.apache.org/viewvc?view=revision&revi