On 6/21/21 9:42 AM, Christopher Schultz wrote:
I think it depends upon your environment, honestly. There were many
organizations where the "AJP endpoint is trusting, because that's what
it's for" announcement was a real surprise and represented a must-fix
issue immediately. That was not the case for my $work, where we were
already protecting our AJP connections and not allowing just anyone to
connect.
If you are using h2c, you'll definitely want to 8.5.63 or later, as
there is a critical fix there.
We don't, so far as I'm aware, use AJP or h2c. The only enabled
connectors are HTTPS (still coded as a Tomcat 7.0 connector and using a
Java Keystore) and Shutdown.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org