jakarta-site-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject cvs commit: jakarta-site2/xdocs/site binindex.xml news.xml sourceindex.xml
Date Wed, 09 Oct 2002 14:06:56 GMT
remm        2002/10/09 07:06:56

  Modified:    docs     index.html
               docs/site binindex.html news.html sourceindex.html
               xdocs    index.xml
               xdocs/site binindex.xml news.xml sourceindex.xml
  Log:
  - Tomcat 4.0.6 release.
  
  Revision  Changes    Path
  1.156     +1 -0      jakarta-site2/docs/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/index.html,v
  retrieving revision 1.155
  retrieving revision 1.156
  diff -u -r1.155 -r1.156
  --- index.html	8 Oct 2002 15:29:57 -0000	1.155
  +++ index.html	9 Oct 2002 14:06:55 -0000	1.156
  @@ -153,6 +153,7 @@
           <blockquote>
                                       <p>
   <ul>
  +<li><a href="site/news.html#1009.1">09 October 2002 - <b>Security update:
Tomcat 4.0.6 Released</b></a></li>
   <li><a href="site/news.html#1004.1">04 October 2002 - <b>Commons Lang
1.0 Released</b></a></li>
   <li><a href="site/news.html#1003.1">03 October 2002 - <b>Ant 1.5.1 Released</b></a></li>
   <li><a href="site/news.html#0927.1">27 September 2002 - <b>Commons Logging
1.0.2 Released</b></a></li>
  
  
  
  1.218     +1 -1      jakarta-site2/docs/site/binindex.html
  
  Index: binindex.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/site/binindex.html,v
  retrieving revision 1.217
  retrieving revision 1.218
  diff -u -r1.217 -r1.218
  --- binindex.html	4 Oct 2002 22:29:19 -0000	1.217
  +++ binindex.html	9 Oct 2002 14:06:55 -0000	1.218
  @@ -226,7 +226,7 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/">Taglibs</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/">Tomcat
3.2.4</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/">Tomcat
3.3.1</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/">Tomcat
4.0.5</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/">Tomcat
4.0.6</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/">Tomcat
4.1.12</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/">Turbine
2.1</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/">Velocity
1.2</a></li>
  
  
  
  1.232     +61 -1     jakarta-site2/docs/site/news.html
  
  Index: news.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/site/news.html,v
  retrieving revision 1.231
  retrieving revision 1.232
  diff -u -r1.231 -r1.232
  --- news.html	4 Oct 2002 22:29:19 -0000	1.231
  +++ news.html	9 Oct 2002 14:06:55 -0000	1.232
  @@ -151,7 +151,67 @@
         </td></tr>
         <tr><td>
           <blockquote>
  -                                    <a name="1004.1">
  +                                    <a name="1009.1">
  +<h3>9 October 2002 - Tomcat 4.0.6 Released.</h3>
  +</a>
  +                                                <p>
  +A security vulnerability has been confirmed to exist in Apache Tomcat
  +4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
  +crafted URL to return the unprocessed source of a JSP page, or, under
  +special circumstances, a static resource which would otherwise have been
  +protected by security constraint, without the need for being properly
  +authenticated. This is based on a variant of the exploit that was
  +disclosed on 09/24/2002.
  +</p>
  +                                                <p>
  +<b>Who is vulnerable</b>
  +<ul>
  +<li>All Tomcat 4.0.x releases, except those in which the invoker servlet
  +is disabled (this is not the default setting).</li>
  +<li>All Tomcat 4.1.x releases before 4.1.12, except those in which the
  +invoker servlet is disabled (this is not the default setting), as 
  +well as 4.1.12 if and only if the invoker servlet has been enabled. 
  +The default Tomcat 4.1.12 installation is not vulnerable.</li>
  +</ul>
  +</p>
  +                                                <p>
  +<b>Fixes and workarounds</b>(doing either of the following can be use as a
  +workaround for the security problem)
  +<ul>
  +<li> Disabling the invoker servlet
  +
  +In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment
out or remove the following XML fragment:
  +<br />
  +<code>
  +    &lt;servlet-mapping&gt;<br />
  +        &lt;servlet-name&gt;invoker&lt;/servlet-name&gt;<br />
  +        &lt;url-pattern&gt;/servlet/*&lt;/url-pattern&gt;<br />
  +    &lt;/servlet-mapping&gt;
  +</code>
  +</li>
  +
  +<li> If running any Tomcat 4.0.x releases, download and install the
  +following <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip">binary
patch</a>.
  +Simply unzip the archive in the $CATALINA_HOME folder (on Windows
  +%CATALINA_HOME%). Make sure paths are preserved when unzipping. The 
  +patch will overwrite the default webapp configuration file
  +($CATALINA_HOME/conf/web.xml) to add a workaround to protect
  +against the security vulnerability.
  +</li>
  +
  +<li> If running Tomcat 4.1.12 and the invoker servlet was enabled, it must
  +be disabled at this time. A new Tomcat 4.1.x release incorporating
  +the fix to the invoker servlet will be made available shortly.
  +</li>
  +
  +<li> If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6.
  +Binary and source distributions for Apache Tomcat 4.0.5 are available
  +<a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/">here</a>.
  +</li>
  +</ul>
  +</p>
  +                                                <hr size="1" noshade="noshade" />
  +                                                <a name="1004.1">
   <h3>4 October 2002 - Commons Lang 1.0 released.</h3>
   </a>
                                                   <p>
  
  
  
  1.145     +2 -2      jakarta-site2/docs/site/sourceindex.html
  
  Index: sourceindex.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/site/sourceindex.html,v
  retrieving revision 1.144
  retrieving revision 1.145
  diff -u -r1.144 -r1.145
  --- sourceindex.html	4 Oct 2002 22:29:20 -0000	1.144
  +++ sourceindex.html	9 Oct 2002 14:06:56 -0000	1.145
  @@ -226,7 +226,8 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.0.2/src/">Struts
1.0.2</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.2.4/src/">Tomcat
3.2.4</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.3.1/src/">Tomcat
3.3.1</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.3/src/">Tomcat
4.0.3</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/src/">Tomcat
4.0.6</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/src/">Tomcat
4.1.12</a></li>
   </ul>
                                                   <h2>
   Milestone Builds
  @@ -235,7 +236,6 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-avalon/release/phoenix/latest/">Avalon
Phoenix 4.0 alpha 1</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-james/latest/">James
Latest Release Candidate</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-jmeter/unstable/v1.7.2/">JMeter
1.7.2</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4-b2/src/">Tomcat
4.0.4 Beta 2</a></li>
   <li><a href="http://jakarta.apache.org/builds/jakarta-poi/dev/src/">POI 1.8-dev
(early development build)</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.1-b2/src/">Struts
1.1 Beta 2</a></li>
   </ul>
  
  
  
  1.118     +1 -0      jakarta-site2/xdocs/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/index.xml,v
  retrieving revision 1.117
  retrieving revision 1.118
  diff -u -r1.117 -r1.118
  --- index.xml	8 Oct 2002 15:29:57 -0000	1.117
  +++ index.xml	9 Oct 2002 14:06:56 -0000	1.118
  @@ -12,6 +12,7 @@
   <section name="Product News">
   <p>
   <ul>
  +<li><a href="site/news.html#1009.1">09 October 2002 - <b>Security update:
Tomcat 4.0.6 Released</b></a></li>
   <li><a href="site/news.html#1004.1">04 October 2002 - <b>Commons Lang
1.0 Released</b></a></li>
   <li><a href="site/news.html#1003.1">03 October 2002 - <b>Ant 1.5.1 Released</b></a></li>
   <li><a href="site/news.html#0927.1">27 September 2002 - <b>Commons Logging
1.0.2 Released</b></a></li>
  
  
  
  1.182     +1 -1      jakarta-site2/xdocs/site/binindex.xml
  
  Index: binindex.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/site/binindex.xml,v
  retrieving revision 1.181
  retrieving revision 1.182
  diff -u -r1.181 -r1.182
  --- binindex.xml	4 Oct 2002 22:29:20 -0000	1.181
  +++ binindex.xml	9 Oct 2002 14:06:56 -0000	1.182
  @@ -95,7 +95,7 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/">Taglibs</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/">Tomcat
3.2.4</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/">Tomcat
3.3.1</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/">Tomcat
4.0.5</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/">Tomcat
4.0.6</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/">Tomcat
4.1.12</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/">Turbine
2.1</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/">Velocity
1.2</a></li>
  
  
  
  1.202     +61 -0     jakarta-site2/xdocs/site/news.xml
  
  Index: news.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/site/news.xml,v
  retrieving revision 1.201
  retrieving revision 1.202
  diff -u -r1.201 -r1.202
  --- news.xml	4 Oct 2002 22:29:20 -0000	1.201
  +++ news.xml	9 Oct 2002 14:06:56 -0000	1.202
  @@ -11,6 +11,67 @@
   
   <section name="News &amp; Status">
   
  +<a name="1009.1">
  +<h3>9 October 2002 - Tomcat 4.0.6 Released.</h3>
  +</a>
  +<p>
  +A security vulnerability has been confirmed to exist in Apache Tomcat
  +4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
  +crafted URL to return the unprocessed source of a JSP page, or, under
  +special circumstances, a static resource which would otherwise have been
  +protected by security constraint, without the need for being properly
  +authenticated. This is based on a variant of the exploit that was
  +disclosed on 09/24/2002.
  +</p>
  +<p>
  +<b>Who is vulnerable</b>
  +<ul>
  +<li>All Tomcat 4.0.x releases, except those in which the invoker servlet
  +is disabled (this is not the default setting).</li>
  +<li>All Tomcat 4.1.x releases before 4.1.12, except those in which the
  +invoker servlet is disabled (this is not the default setting), as 
  +well as 4.1.12 if and only if the invoker servlet has been enabled. 
  +The default Tomcat 4.1.12 installation is not vulnerable.</li>
  +</ul>
  +</p>
  +<p>
  +<b>Fixes and workarounds</b>(doing either of the following can be use as a
  +workaround for the security problem)
  +<ul>
  +<li>Disabling the invoker servlet: In the $CATALINA_HOME/conf/web.xml file (on
  + Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following 
  +XML fragment:
  +<br/>
  +<code>
  +    &lt;servlet-mapping&gt;<br/>
  +        &lt;servlet-name&gt;invoker&lt;/servlet-name&gt;<br/>
  +        &lt;url-pattern&gt;/servlet/*&lt;/url-pattern&gt;<br/>
  +    &lt;/servlet-mapping&gt;
  +</code>
  +</li>
  +
  +<li> If running any Tomcat 4.0.x releases, download and install the
  +following <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip">binary
patch</a>.
  +Simply unzip the archive in the $CATALINA_HOME folder (on Windows
  +%CATALINA_HOME%). Make sure paths are preserved when unzipping. The 
  +patch will overwrite the default webapp configuration file
  +($CATALINA_HOME/conf/web.xml) to add a workaround to protect
  +against the security vulnerability.
  +</li>
  +
  +<li> If running Tomcat 4.1.12 and the invoker servlet was enabled, it must
  +be disabled at this time. A new Tomcat 4.1.x release incorporating
  +the fix to the invoker servlet will be made available shortly.
  +</li>
  +
  +<li> If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6.
  +Binary and source distributions for Apache Tomcat 4.0.5 are available
  +<a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/">here</a>.
  +</li>
  +</ul>
  +</p>
  +<hr size="1" noshade="noshade" />
  +
   <a name="1004.1">
   <h3>4 October 2002 - Commons Lang 1.0 released.</h3>
   </a>
  
  
  
  1.106     +2 -2      jakarta-site2/xdocs/site/sourceindex.xml
  
  Index: sourceindex.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/site/sourceindex.xml,v
  retrieving revision 1.105
  retrieving revision 1.106
  diff -u -r1.105 -r1.106
  --- sourceindex.xml	4 Oct 2002 22:29:20 -0000	1.105
  +++ sourceindex.xml	9 Oct 2002 14:06:56 -0000	1.106
  @@ -94,7 +94,8 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.0.2/src/">Struts
1.0.2</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.2.4/src/">Tomcat
3.2.4</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.3.1/src/">Tomcat
3.3.1</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.3/src/">Tomcat
4.0.3</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/src/">Tomcat
4.0.6</a></li>
  +<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/src/">Tomcat
4.1.12</a></li>
   </ul>
   
   <h2>
  @@ -105,7 +106,6 @@
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-avalon/release/phoenix/latest/">Avalon
Phoenix 4.0 alpha 1</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-james/latest/">James
Latest Release Candidate</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-jmeter/unstable/v1.7.2/">JMeter
1.7.2</a></li>
  -<li><a href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4-b2/src/">Tomcat
4.0.4 Beta 2</a></li>
   <li><a href="http://jakarta.apache.org/builds/jakarta-poi/dev/src/">POI 1.8-dev
(early development build)</a></li>
   <li><a href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.1-b2/src/">Struts
1.1 Beta 2</a></li>
   </ul>
  
  
  

--
To unsubscribe, e-mail:   <mailto:site-cvs-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:site-cvs-help@jakarta.apache.org>


Mime
View raw message