jakarta-site-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject cvs commit: jakarta-site2/xdocs/site binindex.xml news.xml
Date Tue, 24 Sep 2002 11:46:37 GMT
remm        2002/09/24 04:46:36

  Modified:    docs     index.html
               docs/site binindex.html news.html
               xdocs    index.xml
               xdocs/site binindex.xml news.xml
  Log:
  - Security bulletin.
  - Tomcat 4.0.5 and 4.1.12 releases.
  
  Revision  Changes    Path
  1.150     +1 -0      jakarta-site2/docs/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/index.html,v
  retrieving revision 1.149
  retrieving revision 1.150
  diff -u -r1.149 -r1.150
  --- index.html	16 Sep 2002 22:37:53 -0000	1.149
  +++ index.html	24 Sep 2002 11:46:36 -0000	1.150
  @@ -153,6 +153,7 @@
           <blockquote>
                                       <p>
   <ul>
  +<li><a href="site/news.html#0924.1">24 September 2002 - <b>Security updates:
Tomcat 4.1.12 Stable and Tomcat 4.0.5 Released</b></a></li>
   <li><a href="site/news.html#0916.1">16 September 2002 - <b>Avalon-Phoenix
4.0 Released</b></a></li>
   <li><a href="site/news.html#0912.1">12 September 2002 - <b>Commons Discovery
0.1 Released</b></a></li>
   <li><a href="site/news.html#0906.1">06 September 2002 - <b>Tomcat 4.1.10
Stable Released</b></a></li>
  
  
  
  1.213     +2 -2      jakarta-site2/docs/site/binindex.html
  
  Index: binindex.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/site/binindex.html,v
  retrieving revision 1.212
  retrieving revision 1.213
  diff -u -r1.212 -r1.213
  --- binindex.html	13 Sep 2002 04:21:52 -0000	1.212
  +++ binindex.html	24 Sep 2002 11:46:36 -0000	1.213
  @@ -225,8 +225,8 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/">Taglibs</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/">Tomcat
3.2.4</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/">Tomcat
3.3.1</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4/">Tomcat
4.0.4</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.10/">Tomcat
4.1.10</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/">Tomcat
4.0.5</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/">Tomcat
4.1.12</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/">Turbine
2.1</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/">Velocity
1.2</a></li>
   </ul>
  
  
  
  1.227     +37 -1     jakarta-site2/docs/site/news.html
  
  Index: news.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/site/news.html,v
  retrieving revision 1.226
  retrieving revision 1.227
  diff -u -r1.226 -r1.227
  --- news.html	16 Sep 2002 22:37:54 -0000	1.226
  +++ news.html	24 Sep 2002 11:46:36 -0000	1.227
  @@ -151,7 +151,43 @@
         </td></tr>
         <tr><td>
           <blockquote>
  -                                    <a name="0916.1">
  +                                    <a name="0924.1">
  +<h3>24 September 2002 - Security updates: Tomcat 4.1.12 Stable and Tomcat 4.0.5 Released</h3>
  +</a>
  +                                                <p>
  +  A security vulnerability has been confirmed to exist in all Apache Tomcat 
  +4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use 
  +a specially crafted URL to return the unprocessed source of a JSP page, or 
  +under special circumstances a static resource which would otherwise have been 
  +protected by security constraint, without the need of being properly 
  +authenticated.
  +<br /><br />
  +Using the invoker servlet in conjunction with the default servlet 
  +(responsible for handling static content in Tomcat) triggers this 
  +vulnerability. This particular configuration is available in the default 
  +Tomcat configuration. An easy workaround exists for existing Tomcat 
  +installation, by disabling the invoker servlet in the default webapp 
  +configuration.
  +<br /><br />
  +In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment
out or remove the following XML fragment:
  +<br />
  +<code>
  +    &lt;servlet-mapping&gt;
  +        &lt;servlet-name&gt;invoker&lt;/servlet-name&gt;
  +        &lt;url-pattern&gt;/servlet/*&lt;/url-pattern&gt;
  +    &lt;/servlet-mapping&gt;
  +</code>
  +<br /><br />
  +The Apache Tomcat Team announces the immediate availability of new releases which include
a fix to the invoker servlet.
  +<br />
  +Binary and source distributions for Apache Tomcat 4.1.12 Stable are available 
  +<a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/">here</a>.
  +<br />
  +Binary and source distributions for Apache Tomcat 4.0.5 are available
  +<a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/">here</a>.
  +</p>
  +                                                <hr size="1" noshade="noshade" />
  +                                                <a name="0916.1">
   <h3>16 September 2002 - Avalon-Phoenix 4.0 Released</h3>
   </a>
                                                   <p>
  
  
  
  1.112     +1 -0      jakarta-site2/xdocs/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/index.xml,v
  retrieving revision 1.111
  retrieving revision 1.112
  diff -u -r1.111 -r1.112
  --- index.xml	16 Sep 2002 22:35:09 -0000	1.111
  +++ index.xml	24 Sep 2002 11:46:36 -0000	1.112
  @@ -12,6 +12,7 @@
   <section name="Product News">
   <p>
   <ul>
  +<li><a href="site/news.html#0924.1">24 September 2002 - <b>Security updates:
Tomcat 4.1.12 Stable and Tomcat 4.0.5 Released</b></a></li>
   <li><a href="site/news.html#0916.1">16 September 2002 - <b>Avalon-Phoenix
4.0 Released</b></a></li>
   <li><a href="site/news.html#0912.1">12 September 2002 - <b>Commons Discovery
0.1 Released</b></a></li>
   <li><a href="site/news.html#0906.1">06 September 2002 - <b>Tomcat 4.1.10
Stable Released</b></a></li>
  
  
  
  1.177     +2 -2      jakarta-site2/xdocs/site/binindex.xml
  
  Index: binindex.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/site/binindex.xml,v
  retrieving revision 1.176
  retrieving revision 1.177
  diff -u -r1.176 -r1.177
  --- binindex.xml	13 Sep 2002 04:21:53 -0000	1.176
  +++ binindex.xml	24 Sep 2002 11:46:36 -0000	1.177
  @@ -94,8 +94,8 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/">Taglibs</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/">Tomcat
3.2.4</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/">Tomcat
3.3.1</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4/">Tomcat
4.0.4</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.10/">Tomcat
4.1.10</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/">Tomcat
4.0.5</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/">Tomcat
4.1.12</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/">Turbine
2.1</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/">Velocity
1.2</a></li>
   </ul>
  
  
  
  1.197     +37 -0     jakarta-site2/xdocs/site/news.xml
  
  Index: news.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/site/news.xml,v
  retrieving revision 1.196
  retrieving revision 1.197
  diff -u -r1.196 -r1.197
  --- news.xml	16 Sep 2002 22:35:09 -0000	1.196
  +++ news.xml	24 Sep 2002 11:46:36 -0000	1.197
  @@ -11,6 +11,43 @@
   
   <section name="News &amp; Status">
   
  +<a name="0924.1">
  +<h3>24 September 2002 - Security updates: Tomcat 4.1.12 Stable and Tomcat 4.0.5 Released</h3>
  +</a>
  +<p>
  +  A security vulnerability has been confirmed to exist in all Apache Tomcat 
  +4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use 
  +a specially crafted URL to return the unprocessed source of a JSP page, or 
  +under special circumstances a static resource which would otherwise have been 
  +protected by security constraint, without the need of being properly 
  +authenticated.
  +<br/><br/>
  +Using the invoker servlet in conjunction with the default servlet 
  +(responsible for handling static content in Tomcat) triggers this 
  +vulnerability. This particular configuration is available in the default 
  +Tomcat configuration. An easy workaround exists for existing Tomcat 
  +installation, by disabling the invoker servlet in the default webapp 
  +configuration.
  +<br/><br/>
  +In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment
out or remove the following XML fragment:
  +<br/>
  +<code>
  +    &lt;servlet-mapping&gt;
  +        &lt;servlet-name&gt;invoker&lt;/servlet-name&gt;
  +        &lt;url-pattern&gt;/servlet/*&lt;/url-pattern&gt;
  +    &lt;/servlet-mapping&gt;
  +</code>
  +<br/><br/>
  +The Apache Tomcat Team announces the immediate availability of new releases which include
a fix to the invoker servlet.
  +<br/>
  +Binary and source distributions for Apache Tomcat 4.1.12 Stable are available 
  +<a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/">here</a>.
  +<br/>
  +Binary and source distributions for Apache Tomcat 4.0.5 are available
  +<a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/">here</a>.
  +</p>
  +<hr size="1" noshade="noshade" />
  +
   <a name="0916.1">
   <h3>16 September 2002 - Avalon-Phoenix 4.0 Released</h3>
   </a>
  
  
  

--
To unsubscribe, e-mail:   <mailto:site-cvs-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:site-cvs-help@jakarta.apache.org>


Mime
View raw message