On 31/03/2022 12:25, Rémy Maucherat wrote:
On Thu, Mar 31, 2022 at 1:16 PM Mark Thomas <[email protected]> wrote:
On 31/03/2022 11:48, Rémy Maucherat wrote:
On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas <[email protected]> wrote:
Hi all,
My recent hardening fix to the class loader [1] provides mitigation for
a current Spring vulnerability [2].
While this is a Spring vulnerability, it may be the case for some users
that updating Tomcat is an easier mitigation path that updating Spring.
What are the community thoughts on cancelling the current releases,
re-tagging and releasing reasonably quickly?
Possibly ok but only if the new tag is "immediately" rather than "quickly".
I could start 10.1.x and 10.0.x in the next couple of hours. I can also
cover 8.5.x if Chris isn't available.
+1 then. If it is delayed, I will be in trouble ;)
ACK. I'll start now. I'm assuming I'll need to do 8.5.x too for now.
Mark
Rémy
Mark
Rémy
Mark
[1]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
[2]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
