Did you mean JRE not JDK? It was my understanding that Tomcat 5.5 could be configured to use JRE 1.4 and that it had no need for an external JDK compiler.
-----Original Message----- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 10, 2007 8:01 PM To: Tomcat Users List Subject: Re: Tomcat 5.5.23 Question Laura McCord wrote: > I currently have Tomcat 5.0.28 installed and we received a security > vulnerability notice pertaining to a "Apache Tomcat Directory Traversal". > http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0167.html > > We were thinking about upgrading to version 5.5.23 but is it true that > we would have to upgrade our java installation from 1.4 to java 5? No this is not true. TC5.5.x runs on a 1.4 JDK as long as long also download the JDK 1.4 compatibility package. > Also, if anyone is familiar with this security vulnerability can you > please explain what this means? http://tomcat.apache.org/security-5.html - CVE-2007-0450 Short version: - Tomcat has two contexts, A & B - Tomcat is not accessible from the Internet - httpd is configured to proxy requests only to context A - httpd is accessible from the Internet In this configuration a user may expect that context B is not accessible from the Internet. This is not the case. HTH. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
