tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/doc readme
Date Tue, 12 Dec 2000 20:48:40 GMT
craigmcc    00/12/12 12:48:38

  Modified:    src/doc  Tag: TOMCAT_31_BRANCH readme
  Log:
  Update the release notes document for Tomcat 3.1.1 to clarify what steps
  are required -- and not required -- to apply the update.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.8.4.1   +113 -5    jakarta-tomcat/src/doc/readme
  
  Index: readme
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
  retrieving revision 1.8
  retrieving revision 1.8.4.1
  diff -u -r1.8 -r1.8.4.1
  --- readme	2000/04/18 01:42:52	1.8
  +++ readme	2000/12/12 20:48:34	1.8.4.1
  @@ -1,9 +1,9 @@
  -$Id: readme,v 1.8 2000/04/18 01:42:52 craigmcc Exp $
  +$Id: readme,v 1.8.4.1 2000/12/12 20:48:34 craigmcc Exp $
           
  -                           Release Notes for:
  -                           ==================
  -                           TOMCAT Version 3.1
  -                           ==================
  +                            Release Notes for:
  +                           ====================
  +                           TOMCAT Version 3.1.1
  +                           ====================
   
   
   0.  TABLE OF CONTENTS:
  @@ -13,6 +13,7 @@
       3.  Application Development Using Tomcat
       4.  New Features In This Release
       5.  Known Bugs and Issues
  +    6.  Security Vulnerabilities Fixed in 3.1.1
   
   
   =============================================================================
  @@ -28,7 +29,17 @@
   You should read the License Agreement (in the LICENSE file of the top level
   directory), which applies to all software included in this release.
   
  +Tomcat Version 3.1.1 is a security related update only!  See Section 6, below,
  +for details on the changes that have been made.  All other existing issues with
  +Tomcat 3.1 will remain in 3.1.1 -- users are *strongly* urged to upgrade to
  +Tomcat 3.2, which includes fixes for these issues.
  +
  +No changes to the native code components of Tomcat 3.1 have been made.
  +Therefore, you should *not* need to recompile components such as mod_jserv
  +in order to take advantage of this release.  You only need to replace the
  +Java based modules in the "jakarta-tomcat.*" distribution.
   
  +
   =============================================================================
   2.  INSTALLING AND RUNNING TOMCAT
   
  @@ -168,3 +179,100 @@
   reload support is not recommended for production applications because of
   its experimental nature, and the extra overhead required to perform the
   necessary checks on every request.
  +
  +
  +===============================================================================
  +6.  SECURITY VULNERABILITIES FIXED IN TOMCAT 3.1.1
  +
  +
  +6.1 Administrative Application Enabled By Default
  +
  +The administrative application (at context path "/admin") was enabled by
  +default in Tomcat 3.1, which allowed unauthenticated remote users to add and
  +remove appliations from a running Tomcat 3.1 installation if it was left
  +installed.
  +
  +To avoid such problems, the administrative application has been removed from
  +the binary distribution of Tomcat 3.1.1.  It can be installed if desired by:
  +- Downloading the source distribution of Tomcat 3.1.1.
  +- Modifying the "build.xml" file to remove the commenting around the
  +  logic that creates the adminstrative application.
  +- Running the build.sh or build.bat script.
  +
  +
  +6.2 Case Sensitive Matches on Static Resources
  +
  +In Tomcat 3.1, matches against the filenames of static resources was done in a
  +case insensitive manner on case insensitive platforms (such as Microsoft
  +Windows).  This can cause sensitive information to be exposed to remote users
  +who experiment with differently cased request URIs.
  +
  +To avoid such problems, Tomcat 3.1.1 performs filename comparisons for static
  +resources in a case sensitive manner, even on Windows.  This means that your
  +hyperlinks must specify the correct case, or a 404 error will be returned.
  +
  +Because this can cause significant conversion problems for existing
  +applications deployed on Tomcat 3.1, a configuration option is provided to
  +temporarily turn off case sensitive matching.  Edit the file "conf/web.xml"
  +and modify the value for the "caseSensitive" initialization parameter to the
  +default file-serving servlet.
  +
  +WARNING:  CHANGING THIS SETTING WILL RE-INTRODUCE THE SECURITY VULNERABILITY
  +PRESENT IN TOMCAT 3.1 -- IT IS *STRONGLY* RECOMMENDED THAT YOU CORRECT YOUR
  +URLS TO MATCH CORRECTLY INSTEAD OF USING THIS OPTION.  Note:  All later
  +versions of Tomcat perform filename matches in a case sensitive manner.
  +
  +
  +6.3 Snoop Servlet Mappings in Example Application
  +
  +In the deployment descriptor for the example application delivered with
  +Tomcat 3.1, a "snoop" servlet was mapped to URL patterns "/snoop" and
  +"*.snp".  Theses mappings (in particular the second one) could cause exposure
  +of sensitive information on the internal organization of your web application
  +(for example, when a non-existent page "foo.snp" is requested).
  +
  +To avoid these problems, the offending mappings have been commented out.
  +
  +
  +6.4 Show Source Vulnerability
  +
  +The example application delivered with Tomcat 3.1 included a mechanism to
  +display the source code for the JSP page examples.  This mechanism could
  +be used to bypass the restrictions on displaying sensitive information in
  +the WEB-INF and META-INF directories.  This vulnerability has been removed.
  +
  +
  +6.5 Requesting Unknown JSP Pages
  +
  +In Tomcat 3.1, the error message in response to a request for an unknown JSP
  +page would include the absolute disk file pathname of the corresponding file
  +which could not be found, which exposes sensitive information about how your
  +application is deployed.  The error message has been adjusted to include only
  +the context-relative path of the JSP page which could not be found.
  +
  +
  +6.6 Session ID Vulnerability
  +
  +The algorithm used to calculate session identifiers for new sessions was
  +subject to attack by attempting to guess what the next session identifier will
  +be, and therefore hijack the session.  In addition, the generated identifier
  +exposed sensitive information (the number of sessions that have been created
  +since this web application was started.
  +
  +To avoid these problems, the session identifier generation algorithm has been
  +replaced by the algorithm used in Tomcat 3.2, which is not subject to these
  +attacks, and does not expose session count information.
  +
  +
  +6.7 Server Shutdown Vulnerability
  +
  +In Tomcat 3.1, it was possible to establish a remote network connection to the
  +AJP12 connector and cause Tomcat to shut itself down.  Now, this network
  +connection must be created from the same server that Tomcat is running on.
  +
  +NOTE:  While this is more secure than Tomcat 3.1 (and mirrors the protection
  +provided by Tomcat 3.2), it is still vulnerable to attack by users who can
  +create socket connections from the server.  Suitable use of firewalls and
  +"TCP Wrappers" applications are suggested around the APJ12 port.
  +
  +
  
  
  

Mime
View raw message