Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas
On 31/03/2022 12:25, Rémy Maucherat wrote: On Thu, Mar 31, 2022 at 1:16 PM Mark Thomas wrote: On 31/03/2022 11:48, Rémy Maucherat wrote: On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas wrote: Hi all, My recent hardening fix to the class loader [1] provides mitigation for a current Spring

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas
On 31/03/2022 12:33, Konstantin Kolinko wrote: чт, 31 мар. 2022 г. в 12:52, Mark Thomas : Hi all, My recent hardening fix to the class loader [1] provides mitigation for a current Spring vulnerability [2]. While this is a Spring vulnerability, it may be the case for some users that updating T

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Konstantin Kolinko
чт, 31 мар. 2022 г. в 12:52, Mark Thomas : > > Hi all, > > My recent hardening fix to the class loader [1] provides mitigation for > a current Spring vulnerability [2]. > > While this is a Spring vulnerability, it may be the case for some users > that updating Tomcat is an easier mitigation path th

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Rémy Maucherat
On Thu, Mar 31, 2022 at 1:16 PM Mark Thomas wrote: > > On 31/03/2022 11:48, Rémy Maucherat wrote: > > On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas wrote: > >> > >> Hi all, > >> > >> My recent hardening fix to the class loader [1] provides mitigation for > >> a current Spring vulnerability [2]. >

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas
On 31/03/2022 11:48, Rémy Maucherat wrote: On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas wrote: Hi all, My recent hardening fix to the class loader [1] provides mitigation for a current Spring vulnerability [2]. While this is a Spring vulnerability, it may be the case for some users that upda

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Rémy Maucherat
On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas wrote: > > Hi all, > > My recent hardening fix to the class loader [1] provides mitigation for > a current Spring vulnerability [2]. > > While this is a Spring vulnerability, it may be the case for some users > that updating Tomcat is an easier mitigati

Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas
Hi all, My recent hardening fix to the class loader [1] provides mitigation for a current Spring vulnerability [2]. While this is a Spring vulnerability, it may be the case for some users that updating Tomcat is an easier mitigation path that updating Spring. What are the community thoughts