On 31/03/2022 11:48, Rémy Maucherat wrote:
On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas <ma...@apache.org> wrote:
Hi all,
My recent hardening fix to the class loader [1] provides mitigation for
a current Spring vulnerability [2].
While this is a Spring vulnerability, it may be the case for some users
that updating Tomcat is an easier mitigation path that updating Spring.
What are the community thoughts on cancelling the current releases,
re-tagging and releasing reasonably quickly?
Possibly ok but only if the new tag is "immediately" rather than "quickly".
I could start 10.1.x and 10.0.x in the next couple of hours. I can also
cover 8.5.x if Chris isn't available.
Mark
Rémy
Mark
[1]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
[2]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
