On 6/21/21 9:42 AM, Christopher Schultz wrote:
If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there.

My understanding, based on what I looked up a week and a half ago, is that we're not using h2c, but at the same time, don't think I fully understand what "h2c" is.

I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port.

Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484 is. And
doesn't exactly help a whole lot: it talks about "PersistenceManager," and I'm not entirely sure what that even *is.*


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to