t: Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
on 12/11/2000 5:59 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]>
wrote:
> I'm certainly game to remove 3.1 once we know that 3.1.1 doesn't introduce
any
> nasty
> problems, but just removing 3.1 doesn'
"Craig R. McClanahan" wrote:
>
> Glenn Nielsen wrote:
>
> > Very shortly I will have some updated documents for configuring Tomcat to use
> > the Java SecurityManager under various flavors of MS Windows. I would like
> > to get this into the 3.2.1 release.
> >
> > +1 If you can hold off a day s
> > > Tomcat 3.2 final has the following security vulnerabilities that have
> > > subsequently been fixed in the CVS repository:
> > > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> > > expose sensitive information (note the double slash after "examples").
> > > * The "Show
Glenn Nielsen wrote:
> Very shortly I will have some updated documents for configuring Tomcat to use
> the Java SecurityManager under various flavors of MS Windows. I would like
> to get this into the 3.2.1 release.
>
> +1 If you can hold off a day so I can get these documents updated
>
I would
Nick Bauman wrote:
> On Mon, 11 Dec 2000, Craig R. McClanahan wrote:
>
> >
> > Tomcat 3.2 final has the following security vulnerabilities that have
> > subsequently been fixed in the CVS repository:
> > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> > expose sensitive inf
>>> [EMAIL PROTECTED] 12/11/00 06:19PM
Over the last three days, a review of published and
soon-to-be-published reports>of security vulnerabilities in Tomcat has
uncovered a series of problems in the>3.1 final release, and a couple of
less serious (but still significant) problems>in 3.2.
I have to agree with Arieh on this one. Coming from an organization that
has a very rigerous change management process I know that it can take
upwards of 4 months to release a piece of software, let alone a server
upgrade that is not just a security fix. If it adds features above and
beyond the
ft-Outlook-Express-Macintosh-Edition/5.02.2022
> Subject: Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
> From: Jon Stevens <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N
>
> on 12/11/2000 5:59 PM, "Craig R
"Craig R. McClanahan" wrote:
>
> Over the last three days, a review of published and soon-to-be-published reports
> of security vulnerabilities in Tomcat has uncovered a series of problems in the
> 3.1 final release, and a couple of less serious (but still significant) problems
> in 3.2. Please
I think that a 3.1.1 should also be updated and release. There are those of
us out hear using 3.1 that cannot immediately upgrade to 3.2. In
particular, I cannot upgrade right now because of my applications use the
old xml parser for my applications (xml.jar) and 3.2 includes the new jax
parser.
>> Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security
>> problems
>
+1
I'll still be for security updates but release a 3.1.1 could make
some users thinking the 3.1 tree is still alive. Could be disturbing
some days after 3.2 release.
>
>
>> Proposal #2: Release a Tomcat 3.2.1
On Mon, 11 Dec 2000, Craig R. McClanahan wrote:
>
> Tomcat 3.2 final has the following security vulnerabilities that have
> subsequently been fixed in the CVS repository:
> * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> expose sensitive information (note the double slash
> Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security
> problems
+1
> Proposal #2: Release a Tomcat 3.2.1 that fixes the following security
> problems
> plus the patches committed to date.
+ 1
Larry
on 12/11/2000 5:59 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]>
wrote:
> I'm certainly game to remove 3.1 once we know that 3.1.1 doesn't introduce any
> nasty
> problems, but just removing 3.1 doesn't help all the thousands of people who
> have
> apps running on 3.1 and who cannot, for various
on 12/11/2000 5:19 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]>
wrote:
> Over the last three days, a review of published and soon-to-be-published
> reports
> of security vulnerabilities in Tomcat has uncovered a series of problems in
> the
> 3.1 final release, and a couple of less serious (but s
Hans Bergsten wrote:
> "Craig R. McClanahan" wrote:
> > [...]
> > Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems
>
> +0. Is removing TC 3.1 from the download pages an alternative? There shouldn't
> be any reason for anyone to use TC 3.1 now when 3.2 is released. Upgr
"Craig R. McClanahan" wrote:
> [...]
> Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems
+0. Is removing TC 3.1 from the download pages an alternative? There shouldn't
be any reason for anyone to use TC 3.1 now when 3.2 is released. Upgrading to
3.2.1 could be the recom
> Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security
problems
+1.
> Proposal #2: Release a Tomcat 3.2.1 that fixes the following security
problems
> plus the patches committed to date.
+1.
Remy
18 matches
Mail list logo
