On 6/21/21 9:42 AM, Christopher Schultz wrote:
If you are using h2c, you'll definitely want to 8.5.63 or later, as
there is a critical fix there.
My understanding, based on what I looked up a week and a half ago, is
that we're not using h2c, but at the same time, don't think I fully
understand what "h2c" is.
I will note, however, that the Tomcat servers in question are *not*
configured to listen on any ports other than HTTPS (either 443, 8443, or
something else in that vein) and the shutdown port.
Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I
understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484
is. And
https://nvd.nist.gov/vuln/detail/CVE-2020-9484
doesn't exactly help a whole lot: it talks about "PersistenceManager,"
and I'm not entirely sure what that even *is.*
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
