Thank you Mark. I know it's not a Tomcat vulnerability, but if the Hardening mitigates the other, then that had me wondering was all.
Thanks for the position clarification. Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Thursday, March 31, 2022 10:08 AM > To: dev@tomcat.apache.org > Subject: Re: [VOTE] Release Apache Tomcat 10.1.0-M14 > > On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Noting the Hardening of the class loader, is this going to require this to > > be a > security release of the newest Tomcat releases (forthcoming), or will they > still just be standard releases? > > That change does not address a security vulnerability in Apache Tomcat. > > There will be no CVE for this change. > > We generally use hardening to refer to things that do not address a > vulnerability but improve the overall security posture. Typically, these > changes provide additional defense in depth. > > In this instance, it mitigates CVE-2022-22965 which is a Spring Framework > vulnerability. The main purpose of the release is to provide end users with an > alternative option if updating Tomcat is simpler than updating the version of > Spring they are using. > > To provide some context, similar recent hardening changes include: > > - Using a constant time algorithm to compare passwords. Analysis showed > that a timing attack wasn't feasible but we switched now in case it > became feasible as some point in the future > > - We changed the BeanFactory in 10.1.x (and might back-port the change) > to prevent it from being used if an application has a JNDI injection > vulnerability > > Finally, we will either keep completely silent about security vulnerabilities > until they are published or we will be completely open about them up front > (e.g. if there is a zero day). > > HTH, > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional > commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
