Hi all,
My recent hardening fix to the class loader [1] provides mitigation for
a current Spring vulnerability [2].
While this is a Spring vulnerability, it may be the case for some users
that updating Tomcat is an easier mitigation path that updating Spring.
What are the community thoughts on cancelling the current releases,
re-tagging and releasing reasonably quickly?
Mark
[1]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
[2]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
