Time for a 6.0.x release

[Mark Thomas <ma...@apache.org>]

It has been about 6 months since the last release, the changelog is
reasonably long so I think it is time for 6.0.44.

To top the above, RedHat recently published information on an
undisclosed security vulnerability that is fixed in 6.0.x but isn't yet
in a release[1]. It would be good to get 6.0.44 out with a fix for this
even though the issue is far less severe than Red Hat's assessment.[2]

So, there are a couple of patches in the 6.0.x status file that need
votes (although neither looks like they are essential for 6.0.44). Votes
and any additional patches welcome. I am aiming to tag 6.0.x in the next
day or so.

Mark


[1] http://www.openwall.com/lists/oss-security/2015/04/10/1

[2] RedHat incorrectly described the issue as an unrestricted file
upload flaw where "you can very easily eat up all server ram". The
reality is all you can do with this flaw is keep a connection open and a
thread allocated at the expense of having to stream data to the server.
It only just qualified as a security issue because Tomcat never closes
the connection. There are easier ways of triggering a DoS than this issue.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Time for a 6.0.x release

[jean-frederic clere <jf...@gmail.com>]

On 05/06/2015 12:37 AM, Mark Thomas wrote:
> It has been about 6 months since the last release, the changelog is
> reasonably long so I think it is time for 6.0.44.

I am on it

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org