Oliver Heister
2017-09-26 08:57:50 UTC
Hi all,
I have two suggestions:
1. The table on http://tomcat.apache.org/whichversion.html has a column
âSupported Java Versionsâ which has entries like â8 and laterâ. My
understanding from e.g.
https://marc.info/?l=tomcat-dev&m=150617891913261&w=2 is that currently no
stable tomcat release supports Java 9 yet.
IMO a remark regarding Java 9 should be added to
http://tomcat.apache.org/whichversion.html .
2. Currently MITM attacks by evil ISPs or WiFi networks are possible
against people downloading tomcat from
http://tomcat.apache.org/download-80.cgi . (The page has links to PGP, md5
and sha1 hashes for validation, but the links are on a http page that does
not redirect to https. This means they could be replaced in case of MITM.)
IMO a HTTP 301 redirect to the https version and HSTS headers should be
added to http://tomcat.apache.org/ .
Should I try to submit issues in Bugzilla for both?
Best Regards
Oliver
I have two suggestions:
1. The table on http://tomcat.apache.org/whichversion.html has a column
âSupported Java Versionsâ which has entries like â8 and laterâ. My
understanding from e.g.
https://marc.info/?l=tomcat-dev&m=150617891913261&w=2 is that currently no
stable tomcat release supports Java 9 yet.
IMO a remark regarding Java 9 should be added to
http://tomcat.apache.org/whichversion.html .
2. Currently MITM attacks by evil ISPs or WiFi networks are possible
against people downloading tomcat from
http://tomcat.apache.org/download-80.cgi . (The page has links to PGP, md5
and sha1 hashes for validation, but the links are on a http page that does
not redirect to https. This means they could be replaced in case of MITM.)
IMO a HTTP 301 redirect to the https version and HSTS headers should be
added to http://tomcat.apache.org/ .
Should I try to submit issues in Bugzilla for both?
Best Regards
Oliver