On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas <ma...@apache.org> wrote: > > Hi all, > > My recent hardening fix to the class loader [1] provides mitigation for > a current Spring vulnerability [2]. > > While this is a Spring vulnerability, it may be the case for some users > that updating Tomcat is an easier mitigation path that updating Spring. > What are the community thoughts on cancelling the current releases, > re-tagging and releasing reasonably quickly?
Possibly ok but only if the new tag is "immediately" rather than "quickly". Rémy > Mark > > > [1] > https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc > > [2] > https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
