So, what are security minded system administrators to do about mitigating CVE-2011-3190 against V6.0.33?
>From the http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_( not_yet_released) page "Mitigation options: Upgrade to Tomcat 6.0.34. [Ed. What is the expected release date?] Apply the appropriate patch. [Ed. Patch provides 2 java source files; requiring a re-compilation] Configure both Tomcat and the reverse proxy to use a shared secret. ... Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. ... " V/R, Bruce -----Original Message----- From: users-return-228011-BRUCE.R.WILDE=saic....@tomcat.apache.org [mailto:users-return-228011-BRUCE.R.WILDE=saic....@tomcat.apache.org] On Behalf Of Pid Sent: Wednesday, September 28, 2011 1:34 PM To: Tomcat Users List Subject: Re: Incorporating changes and compiling Tomcat On 27/09/2011 21:58, gilbert.be...@bcbssc.com wrote: > Can any one please direct me to instructions on how to incorporate fixes and then recompile. Target OS is Windows Server 2003. Thanks! Note: Tomcat doesn't issue patches, a new version is released. Unless you are planning to write patches yourself, you should just download the latest version. p --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
