You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Rainer Jung <rj...@apache.org> on 2007/05/18 21:45:49 UTC
[ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
The Apache Tomcat team is pleased to announce the immediate availability
of version 1.2.23 of the Apache Tomcat Connectors.
It contains connectors, which allow a web server such as Apache HTTPD,
Microsoft IIS and Sun Web Server to act as a front end to the Tomcat web
application server.
This version contains only one security fix:
CVE-2007-1860: Information disclosure
(patch for CVE-2007-0450 was insufficient)
With the mod_jk default configuration, double encoded URLs could break
JkMount access control. A complete fix might need configuration
adjustments. Please consult
http://tomcat.apache.org/security-jk.html
for a more detailed description. Please note, that this issue only
affected the Apache HTTPD module mod_jk.
Source distribtions can be downloaded from an
Apache Software Foundation mirror at:
http://tomcat.apache.org/download-connectors.cgi
Binary distributions for a number of different operating systems and
web servers can be downloaded from an
Apache Software Foundation mirror at:
http://tomcat.apache.org/download-connectors.cgi
Documentation for using JK with Tomcat 3.3, 4.1, 5.0 and 5.5
can be found at:
http://tomcat.apache.org/connectors-doc/
Thank you,
-- The Apache Tomcat Team
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Guenter Knauf <fu...@apache.org>.
Hi Rainer,
> Yes, I tried to delete all older versions of binaries (tried = as far as
> permissions allowed), but for sme platforms we don't have 1.2.23
> binares, so I kept the latest available ones.
that was what I expected.
> There is an open point, if we can find a way of distributing contributed
> builds. I know we could get some, but there were valid concerns, if we
> shold sign those with our own keys. So we would need some notion of
> "contributed" and could put the binaries there.
hmm, yes, that's a problem...
>>> 4) why do we prefix the directories with 'jk-' although 'jk' is already
>>> in the path?
>> No particular reason I am aware of. We just do.
> Seems to be history, and you decided to drop it for Netware :)
that was by acciedent - did rename the directory to be in sync with the others;
I thought that some longer time ago we did without, but when I looked through the archives it looked as if we did all the time; so it was merely a question before I checked the archives, and not the wish to change....
> So if the archives are important, we could replace the link text
> "archives..." with something a little more prominent. Suggestions?
well, thanks to Mark pointing me to the archives I solved this with the README file where I inserted the link to the archive, so all fine for now;
and if we find the memory leak with mod_jk AP13 then with 1.2.24 I can again provide binaries for AP13 and NS.
thanks, Guen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Rainer Jung <ra...@kippdata.de>.
>> Then I found on the main docu page:
>> http://tomcat.apache.org/connectors-doc/
>> that there are direct links to the previous source versions, but all end up in a 'NOT FOUND';
>> should we change these to point to the archive now?
> I would point all of these to the download pages. We should never
> include links directly to the Apache download area fo rthe latest
> release. We should use the mirrors. Pointing to our download pages is
> the quickest way of doing this.
Good point. I'll look into the index page and the various news pages to
make their links more lasting. Unfortunately since the download script
has no intelligence concerning old releases and the archive this will
also mean making them more unspecific.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Mark Thomas <ma...@apache.org>.
Guenter Knauf wrote:
>>> 3) where do the older versions go?
>> They are automatically copied to archive.apache.org which is linked
>> off the Tomcat homepage.
> I found though that the README.html files which are commonly used to provide further informations about the releases are not copied.
For. Tomcat 4/5/6 the README.html stays pretty much the same and the
per release information is found in a file called RELEASE-NOTES. This
file is copied to the archives. I believe this is standard across
Apache so we should use it for the connectors too.
>>> Then I would like to have at least the last three versions always up, +
>>> the last version we have for any platforms where we cant build self, or
>>> where the maintainer is currently busy and some versions behind.
>> -1.
>> dist (and the mirrors) should only have the current stable version and
>> the latest non-stable release if there has been once since the last
>> stable release.
> so does this mean if we dont have a binary from current version the directory should remain empty?
> Or should there then remain the last version we have as you wrote in 1) ?
Every rule has an exception ;). You are right. For binaries, dist
should contain the latest *available* stable binary and the the latest
*available* non-stable release if it is more more recent than the
latest stable one.
> Then I found on the main docu page:
> http://tomcat.apache.org/connectors-doc/
> that there are direct links to the previous source versions, but all end up in a 'NOT FOUND';
> should we change these to point to the archive now?
I would point all of these to the download pages. We should never
include links directly to the Apache download area fo rthe latest
release. We should use the mirrors. Pointing to our download pages is
the quickest way of doing this.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Guenter Knauf <fu...@apache.org>.
Hi Mark,
>> 1) why do some folders list older versions while others do not?
> Probably because they are the latest stable version for that platform.
>> 2) why do we have a history of the last 3 versions with Win32 but no
>> history for any other platform?
> Because the old version weren't cleaned out. They should have been.
>> 3) where do the older versions go?
> They are automatically copied to archive.apache.org which is linked
> off the Tomcat homepage.
I found though that the README.html files which are commonly used to provide further informations about the releases are not copied.
>> I probably missed that there's somewhere an archive from where older
>> versions can be downloaded...
> This is not correct. It is available along with all other versions in
> the archive.
that was what I missed - thanks!
>> Then I would like to have at least the last three versions always up, +
>> the last version we have for any platforms where we cant build self, or
>> where the maintainer is currently busy and some versions behind.
> -1.
> dist (and the mirrors) should only have the current stable version and
> the latest non-stable release if there has been once since the last
> stable release.
so does this mean if we dont have a binary from current version the directory should remain empty?
Or should there then remain the last version we have as you wrote in 1) ?
If they should remain empty then I would find it useful to have a README in which points to the related archive, and I volunteer to create these if there's agreement. There are probably a lot of users who just link to the dist directory of their platform, and would find a poiter to the archives useful.
Then I found on the main docu page:
http://tomcat.apache.org/connectors-doc/
that there are direct links to the previous source versions, but all end up in a 'NOT FOUND';
should we change these to point to the archive now?
Guen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Rainer Jung <ra...@kippdata.de>.
I'm trying to follow this thread, I hope i'm not duplicating things.
Mark Thomas wrote:
> Guenter Knauf wrote:
>> this makes me ask a couple of questions:
> Remember we only *have* to make the source available. Anything we do
> on the binary front is just being helpful and the release manager is
> unlikely to have access to build binaries for all platforms.
>
>> 1) why do some folders list older versions while others do not?
> Probably because they are the latest stable version for that platform.
Yes, I tried to delete all older versions of binaries (tried = as far as
permissions allowed), but for sme platforms we don't have 1.2.23
binares, so I kept the latest available ones.
There is an open point, if we can find a way of distributing contributed
builds. I know we could get some, but there were valid concerns, if we
shold sign those with our own keys. So we would need some notion of
"contributed" and could put the binaries there.
>> 2) why do we have a history of the last 3 versions with Win32 but no history for any other platform?
> Because the old version weren't cleaned out. They should have been.
I had no permissions to delete them, I'll write to the owners directly
to remove them.
>> 3) where do the older versions go?
> They are automatically copied to archive.apache.org which is linked
> off the Tomcat homepage.
>
>> 4) why do we prefix the directories with 'jk-' although 'jk' is already in the path?
> No particular reason I am aware of. We just do.
Seems to be history, and you decided to drop it for Netware :)
>> For NetWare I would like to have at least the 1.2.15 release up again since that was last version where I supported Apache 1.3.x and Netscape - I point to this version in the README but obviously nobody can download anymore (except from my personal homedir). Sure its no problem for me just copy this over, but first I wanted to discuss that here, and ask if I probably missed that there's somewhere an archive from where older versions can be downloaded...
> This is not correct. It is available along with all other versions in
> the archive.
>
>> Then I would like to have at least the last three versions always up, + the last version we have for any platforms where we cant build self, or where the maintainer is currently busy and some versions behind.
> -1.
> dist (and the mirrors) should only have the current stable version and
> the latest non-stable release if there has been once since the last
> stable release.
>
>> This makes also sense in case it turns out later that we broke something with a release, and users may have to switch back.
> Again, that is what the archives are for.
So if the archives are important, we could replace the link text
"archives..." with something a little more prominent. Suggestions?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Mark Thomas <ma...@apache.org>.
Guenter Knauf wrote:
> this makes me ask a couple of questions:
Remember we only *have* to make the source available. Anything we do
on the binary front is just being helpful and the release manager is
unlikely to have access to build binaries for all platforms.
> 1) why do some folders list older versions while others do not?
Probably because they are the latest stable version for that platform.
> 2) why do we have a history of the last 3 versions with Win32 but no history for any other platform?
Because the old version weren't cleaned out. They should have been.
> 3) where do the older versions go?
They are automatically copied to archive.apache.org which is linked
off the Tomcat homepage.
> 4) why do we prefix the directories with 'jk-' although 'jk' is already in the path?
No particular reason I am aware of. We just do.
> For NetWare I would like to have at least the 1.2.15 release up again since that was last version where I supported Apache 1.3.x and Netscape - I point to this version in the README but obviously nobody can download anymore (except from my personal homedir). Sure its no problem for me just copy this over, but first I wanted to discuss that here, and ask if I probably missed that there's somewhere an archive from where older versions can be downloaded...
This is not correct. It is available along with all other versions in
the archive.
> Then I would like to have at least the last three versions always up, + the last version we have for any platforms where we cant build self, or where the maintainer is currently busy and some versions behind.
-1.
dist (and the mirrors) should only have the current stable version and
the latest non-stable release if there has been once since the last
stable release.
> This makes also sense in case it turns out later that we broke something with a release, and users may have to switch back.
Again, that is what the archives are for.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Henri Gomez <he...@gmail.com>.
2007/5/20, Guenter Knauf <fu...@apache.org>:
> Hi Henri,
> > The iSeries (i5/OS) version need stuff added after 1.22 so it will be
> > available in 1.24...
> dont get me wrong - I didnt want to kick here, it was only a question why we had different handling for each platform....
I know, it was more to inform i5/OS users (knock knock, did there is
jk i5/OS users around ?)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Guenter Knauf <fu...@apache.org>.
Hi Henri,
> The iSeries (i5/OS) version need stuff added after 1.22 so it will be
> available in 1.24...
dont get me wrong - I didnt want to kick here, it was only a question why we had different handling for each platform....
Guen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Henri Gomez <he...@gmail.com>.
The iSeries (i5/OS) version need stuff added after 1.22 so it will be
available in 1.24...
2007/5/20, Guenter Knauf <fu...@apache.org>:
> Hi all,
> > The Apache Tomcat team is pleased to announce the immediate availability
> > of version 1.2.23 of the Apache Tomcat Connectors.
> somehow I've a problem with our distribution directories......
> currently I see:
>
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/aix/
> empty folder
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/freebsd/
> empty folder
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/iseries/
> empty folder
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/linux/
> jk-1.2.21
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/macosx/
> empty folder
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/netware/
> jk-1.2.23
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/solaris/
> jk-1.2.21
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
> jk-1.2.21
> jk-1.2.22
> jk-1.2.23
> http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/
> jk-1.2.23
>
> this makes me ask a couple of questions:
> 1) why do some folders list older versions while others do not?
> 2) why do we have a history of the last 3 versions with Win32 but no history for any other platform?
> 3) where do the older versions go?
> 4) why do we prefix the directories with 'jk-' although 'jk' is already in the path?
>
> For NetWare I would like to have at least the 1.2.15 release up again since that was last version where I supported Apache 1.3.x and Netscape - I point to this version in the README but obviously nobody can download anymore (except from my personal homedir). Sure its no problem for me just copy this over, but first I wanted to discuss that here, and ask if I probably missed that there's somewhere an archive from where older versions can be downloaded...
> Then I would like to have at least the last three versions always up, + the last version we have for any platforms where we cant build self, or where the maintainer is currently busy and some versions behind.
> This makes also sense in case it turns out later that we broke something with a release, and users may have to switch back.
>
> what do you think?
>
> greets, Guen.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Rainer Jung <ra...@kippdata.de>.
William A. Rowe, Jr. wrote:
> Rainer Jung wrote:
>> I had no permissions to delete them, I'll write to the owners directly
>> to remove them.
>
> You can often find someone with root perms hanging out on #asfinfra on
> irc.freenode.net, or can email infrastructure@a.o to ask for perms to be
> reset to 664 as they were -supposed- to be in the first place.
>
> Do email the owners to beg them to fix their umask. I recommend that
> instead of your .profile/.bash_profile, you fix them in your .bashrc and
> .cshrc files, so that scp picks them up by default when depositing files
> via scp. umask 002 is all you are looking for to ensure 664 ownership.
We fixed it bilateral, no need to escalate.
Things like this often happen, when you use archives to transfer your
files to p.a.o. Another reason is, that my fingers have a builtin "-p"
when I do cp or scp. Then the umask unfortunately doesn't help. Of
course we all know, how to handle this, but it can break relatively easy.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guenter Knauf wrote:
> 3) where do the older versions go?
Trivial answer; http://archive.apache.org/dist/ is a complete historical
record of http://www.apache.org/dist/ - all automated. So delete stale
flavors at will.
Rainer Jung wrote:
>
> I had no permissions to delete them, I'll write to the owners directly
> to remove them.
You can often find someone with root perms hanging out on #asfinfra on
irc.freenode.net, or can email infrastructure@a.o to ask for perms to be
reset to 664 as they were -supposed- to be in the first place.
Do email the owners to beg them to fix their umask. I recommend that
instead of your .profile/.bash_profile, you fix them in your .bashrc and
.cshrc files, so that scp picks them up by default when depositing files
via scp. umask 002 is all you are looking for to ensure 664 ownership.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
Posted by Guenter Knauf <fu...@apache.org>.
Hi all,
> The Apache Tomcat team is pleased to announce the immediate availability
> of version 1.2.23 of the Apache Tomcat Connectors.
somehow I've a problem with our distribution directories......
currently I see:
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/aix/
empty folder
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/freebsd/
empty folder
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/iseries/
empty folder
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/linux/
jk-1.2.21
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/macosx/
empty folder
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/netware/
jk-1.2.23
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/solaris/
jk-1.2.21
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
jk-1.2.21
jk-1.2.22
jk-1.2.23
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/
jk-1.2.23
this makes me ask a couple of questions:
1) why do some folders list older versions while others do not?
2) why do we have a history of the last 3 versions with Win32 but no history for any other platform?
3) where do the older versions go?
4) why do we prefix the directories with 'jk-' although 'jk' is already in the path?
For NetWare I would like to have at least the 1.2.15 release up again since that was last version where I supported Apache 1.3.x and Netscape - I point to this version in the README but obviously nobody can download anymore (except from my personal homedir). Sure its no problem for me just copy this over, but first I wanted to discuss that here, and ask if I probably missed that there's somewhere an archive from where older versions can be downloaded...
Then I would like to have at least the last three versions always up, + the last version we have for any platforms where we cant build self, or where the maintainer is currently busy and some versions behind.
This makes also sense in case it turns out later that we broke something with a release, and users may have to switch back.
what do you think?
greets, Guen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org