On Thu, Mar 31, 2022 at 1:16 PM Mark Thomas <ma...@apache.org> wrote: > > On 31/03/2022 11:48, Rémy Maucherat wrote: > > On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas <ma...@apache.org> wrote: > >> > >> Hi all, > >> > >> My recent hardening fix to the class loader [1] provides mitigation for > >> a current Spring vulnerability [2]. > >> > >> While this is a Spring vulnerability, it may be the case for some users > >> that updating Tomcat is an easier mitigation path that updating Spring. > >> What are the community thoughts on cancelling the current releases, > >> re-tagging and releasing reasonably quickly? > > > > Possibly ok but only if the new tag is "immediately" rather than "quickly". > > I could start 10.1.x and 10.0.x in the next couple of hours. I can also > cover 8.5.x if Chris isn't available.
+1 then. If it is delayed, I will be in trouble ;) Rémy > Mark > > > > > > Rémy > > > > > >> Mark > >> > >> > >> [1] > >> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc > >> > >> [2] > >> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: dev-h...@tomcat.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
