On 28/09/2011 18:44, Wilde, Bruce R. wrote: > So, what are security minded system administrators to do about > mitigating CVE-2011-3190 against V6.0.33? > > From the > http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_( > not_yet_released) page > > "Mitigation options: > > Upgrade to Tomcat 6.0.34. [Ed. What is the expected release > date?] > Apply the appropriate patch. [Ed. Patch provides 2 java source > files; requiring a re-compilation] > Configure both Tomcat and the reverse proxy to use a shared > secret. > ... > Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector > implementation. > ... > "
It's a fair question, and you do provide answers - but those are aimed at a specific problem. This may be appropriate, but the OP did not declare their interest and we do sometimes have people asking how to compile in Tomcat patches because they misunderstand the release protocol/process. Details matter: it's fair to challenge the question and provide a range of answers if the subject is unclear IMO. p
signature.asc
Description: OpenPGP digital signature