Eric,
On 11/25/20 09:34, Eric Robinson wrote:
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, November 24, 2020 8:11 AM
To: users@tomcat.apache.org
Subject: Re: Weirdest Tomcat Behavior Ever?
Also, v5.0.8 is like 13 years old. Eric, you guys *really* have to upgrade that.
Somewhat surprisingly, there are CVEs against that library which allow
unauthenticated remote attackers to take-over the MySQL client
connections opened by that library.
Chris, I'm in full agreement with you on that. We'd love to update
the connector but we are under vendor constraints. They only support
certain versions.
*eyeroll*
How about "the officially-supported version of the library causes
ClassLoader leaks and leaves threads running when it shouldn't. Please
support a non-ancient version of this library"?
You should be able to argue based solely upon security reports that them
not supporting a newer version reduces the security of your system which
is not acceptable. Read your SLAs to see if you can force them to do the
right thing.
Honestly, dropping the newer version of the driver on top of the old one
will work in nearly 100% of the cases. I have a lot of experience with
the Connector/J library and I've never had an upgrade break anything.
Since I'm dumping on Connector/J right now, I just have to post this
item from the changelog of the most recent 5.1.x release[1] because it's
priceless:
"
Bugs Fixed
When trying to set a parameter for a PreparedStatement using the
method PreparedStatement.setObject(parameterIndex, "false",
Types.BOOLEAN), the value was set to true instead of false. (Bug
#30911870, Bug #98237)
"
So, to recap: in MySQL Connector/J versions before 5.1.49, "false" means
"true".
*sigh* This *is* year-2020, I guess.
What better reason to upgrade?
-chris
[1] https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/news-5-1-49.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
