On 6/21/21 9:42 AM, Christopher Schultz wrote:
I think it depends upon your environment, honestly. There were many organizations where the "AJP endpoint is trusting, because that's what it's for" announcement was a real surprise and represented a must-fix issue immediately. That was not the case for my $work, where we were already protecting our AJP connections and not allowing just anyone to connect.

If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there.

We don't, so far as I'm aware, use AJP or h2c. The only enabled connectors are HTTPS (still coded as a Tomcat 7.0 connector and using a Java Keystore) and Shutdown.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to