Excellent mark..thankyou..i am just trying to learn as much as i can and that gives me so good data to evaluate paths of understanding... look forward to communicating again.. rich
On Tue, Nov 1, 2016 at 4:30 PM, Mark Thomas <ma...@apache.org> wrote: > On 01/11/2016 19:56, R Paul wrote: > > Hi Mark > > met you at pivotal...in toronto.. > > i have been watching these forums for some time..and just seeing the > > quantity of emails > > are these people experiencing a normal number of issues with gettting > > tomcat to work with their software? > > I think what you see on the users list is fairly typical. Only a > minority of the issues are actually bugs. Most questions are usage / > configuration questions or are really application issues. You'll see a > similar pattern on Stack Overflow. > > > Can you catergorize some of those > > issues to me..as student studying security i am curious... > > There are lots of different ways you could categorize the questions. By > Tomcat component, by root cause, by experience level of user... > > The classification I care most about is bug / non-bug and the metric I > care most about is open bugs (excluding enhancement requests). That > currently sits around 10 and those are nearly all waiting for more info > from the reporter before we can fix it. Overall, I'm proud of the fact > that Tomcat is very stable and that reported bugs get fixed quickly - > typically a release with a fix is available within a month. > > Mark > > > > richard > > > > > > On Thu, Oct 27, 2016 at 8:17 AM, Mark Thomas <ma...@apache.org> wrote: > > > >> CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources > >> > >> Severity: Low > >> > >> Vendor: The Apache Software Foundation > >> > >> Versions Affected: > >> Apache Tomcat 9.0.0.M1 to 9.0.0.M9 > >> Apache Tomcat 8.5.0 to 8.5.4 > >> Apache Tomcat 8.0.0.RC1 to 8.0.36 > >> Apache Tomcat 7.0.0 to 7.0.70 > >> Apache Tomcat 6.0.0 to 6.0.45 > >> Earlier, unsupported versions may also be affected. > >> > >> Description > >> The ResourceLinkFactory did not limit web application access to global > >> JNDI resources to those resources explicitly linked to the web > >> application. Therefore, it was possible for a web application to access > >> any global JNDI resource whether an explicit ResourceLink had been > >> configured or not. > >> > >> Mitigation > >> Users of affected versions should apply one of the following mitigations > >> - Upgrade to Apache Tomcat 9.0.0.M10 or later > >> - Upgrade to Apache Tomcat 8.5.5 or later > >> - Upgrade to Apache Tomcat 8.0.37 or later > >> - Upgrade to Apache Tomcat 7.0.72 or later > >> (Apache Tomcat 7.0.71 has the fix but was not released) > >> - Upgrade to Apache Tomcat 6.0.47 or later > >> (Apache Tomcat 6.0.46 has the fix but was not released) > >> > >> Credit: > >> This issue was discovered by the Apache Tomcat Security Team. > >> > >> References: > >> [1] http://tomcat.apache.org/security-9.html > >> [2] http://tomcat.apache.org/security-8.html > >> [3] http://tomcat.apache.org/security-7.html > >> [4] http://tomcat.apache.org/security-6.html > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
