Peter, On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther <peter.crowt...@melandra.com> wrote:
> And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has > fewer vulnerabilities than just Tomcat. > > I'd also be very interested to see the evidence (either way) on that. > See, I believe in the statement that the more components you're adding to an environment, the more possibilities there are for a security-hole. However, to believe is not to know... However, when I check full-disclosure and other security-lists, I see few issues referring to Tomcat, but I see quite some issues referring to HTTPD and it's modules. I guess if you're once able to break HTTPD and found your way into the box, harm is on it's way. I further /believe/ that from this point it makes sense to use as few components as possible. Anyhow, that's what I believe, not what I know. Cheers Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org