James,
On 6/19/21 11:31, James H. H. Lampert wrote:
We are finally migrating customer installations from 7 to 8.5.
Would anybody happen to know, off the top of his or her head, what the
most recent security-related update to 8.5 is?
I know that 68 is the most recent release, but what's the most recent
one that addresses a significant security issue?
I think it depends upon your environment, honestly. There were many
organizations where the "AJP endpoint is trusting, because that's what
it's for" announcement was a real surprise and represented a must-fix
issue immediately. That was not the case for my $work, where we were
already protecting our AJP connections and not allowing just anyone to
connect.
If you are using h2c, you'll definitely want to 8.5.63 or later, as
there is a critical fix there.
Also, while I'm here, can somebody point me to an example of how to code
the Manager's RemoteAddrValve setting to allow access from, say, two or
three arbitrary IP addresses?
Take a look at the example configuration that ships with the Manager. It
already includes 2 specific IPs and one range. It's a regular
expression. If you aren't too good with those, find someone who is or
give a specific example and someone here can probably help.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org