Aron Kramlik wrote:
> Has there been a definitive list of these security problems with
> TC 3.1 or TC 3.2?
>
The definitive lists of what vulnerabilities were fixed are in the release notes
document for each version (file "doc/readme" in the download).
Subscribers to TOMCAT-DEV also saw the CVS commits that included the fixes for
these problems, so that you can also see *how* they were fixed. Look for the
"tag" modifier to tell you which version was being updated by any particular
patch.
>
> What are the "appropriate contents" of the $TOMCAT_HOME directory
> that I need to replace for both TC 3.1 and TC 3.2?
>
The details depend on how you've deployed Tomcat, and whether or not you've kept
any of the applications that were shipped. Perhaps the simplest approach is to
simply replace the entire contents of your TOMCAT_HOME directory and they
redeploy all of your applications in it (and restore customizations to things
like "conf/servler.xml") -- but it's hard to be specific, given the variety of
approaches people take.
The key point, though, is that you do *not* have to recompile or reinstall the
native code web connector modules in order to install these updates.
>
> Aron Kramlik.
>
Craig
