Availability of Apache Tomcat 6.0.34?

["Yajnik, Shanti" <sh...@hp.com>]

Hi,


Does anyone know when the fix for the specific vulnerability: CVE-2011-3190 will be available for the 6.0.33 version of Apache Tomcat?

Best Regards,
Shanti

Re: Availability of Apache Tomcat 6.0.34?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shanti,

On 9/21/2011 1:39 AM, Yajnik, Shanti wrote:
> Thanks Chris. Do you know when 6.0.34 version of Tomcat will be
> available for download?

Nope. It will ship whenever the devs decide it's time for another release.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk557WwACgkQ9CaO5/Lv0PAkqgCcC0jBWW/m8/ZmRY9bGM+2h92V
zhoAmweeXSAV66OcQVhUkqQw5MqTHRhL
=ohdc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Availability of Apache Tomcat 6.0.34?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shanti,

On 9/21/2011 1:39 AM, Yajnik, Shanti wrote:
> Thanks Chris. Do you know when 6.0.34 version of Tomcat will be
> available for download?

Note that there is a simple workaround with affected versions: use
mod_jk's "secret" setting on all your workers and on the JK connector
in Tomcat and you should be safe from this attack.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk557cMACgkQ9CaO5/Lv0PCGqwCgvlHcsgojgZa45yhkEgpIwgZQ
vRcAn0YawIl3VQVAD7uabMLFxeVdj72T
=jeZx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Availability of Apache Tomcat 6.0.34?

["Yajnik, Shanti" <sh...@hp.com>]

Thanks Chris. Do you know when 6.0.34 version of Tomcat will be available for download?

Best Regards,
Shanti
Client Automation | HP Software

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Friday, September 16, 2011 11:02 PM
To: Tomcat Users List
Subject: Re: Availability of Apache Tomcat 6.0.34?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shanti,

On 9/15/2011 4:21 AM, Yajnik, Shanti wrote:
> Does anyone know when the fix for the specific vulnerability: 
> CVE-2011-3190 will be available for the 6.0.33 version of Apache 
> Tomcat?

The Tomcat team does not release binary patches, so there will never
be a "fix available for 6.0.33". Instead, you will either have to wait
for 6.0.34 to become available, or download the source code from
subversion and compile it yourself.

If you want to create your own 6.0.33 + fix-for-CVE-2011-3190, you'll
need to get the 6.0.33 tag and then manually merge-in the relevant
commits for that bug, then recompile everything.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5ziAIACgkQ9CaO5/Lv0PCK+QCdEUvoqK1oPOY0ZsX42AsWAuL5
eR0AoKhm2/vul13vjQ60w/Vyyf6nmw85
=gInY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Availability of Apache Tomcat 6.0.34?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shanti,

On 9/15/2011 4:21 AM, Yajnik, Shanti wrote:
> Does anyone know when the fix for the specific vulnerability: 
> CVE-2011-3190 will be available for the 6.0.33 version of Apache 
> Tomcat?

The Tomcat team does not release binary patches, so there will never
be a "fix available for 6.0.33". Instead, you will either have to wait
for 6.0.34 to become available, or download the source code from
subversion and compile it yourself.

If you want to create your own 6.0.33 + fix-for-CVE-2011-3190, you'll
need to get the 6.0.33 tag and then manually merge-in the relevant
commits for that bug, then recompile everything.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5ziAIACgkQ9CaO5/Lv0PCK+QCdEUvoqK1oPOY0ZsX42AsWAuL5
eR0AoKhm2/vul13vjQ60w/Vyyf6nmw85
=gInY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org