tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/doc readme
Date Tue, 12 Dec 2000 21:01:43 GMT
craigmcc    00/12/12 13:01:42

  Modified:    src/doc  Tag: tomcat_32 readme
  Log:
  Update release notes for Tomcat 3.2.1.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.8.2.11  +43 -1     jakarta-tomcat/src/doc/readme
  
  Index: readme
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
  retrieving revision 1.8.2.10
  retrieving revision 1.8.2.11
  diff -u -r1.8.2.10 -r1.8.2.11
  --- readme	2000/12/04 18:47:05	1.8.2.10
  +++ readme	2000/12/12 21:01:41	1.8.2.11
  @@ -1,4 +1,4 @@
  -$Id: readme,v 1.8.2.10 2000/12/04 18:47:05 craigmcc Exp $
  +$Id: readme,v 1.8.2.11 2000/12/12 21:01:41 craigmcc Exp $
   
                               Release Notes for:
                              ====================
  @@ -14,6 +14,7 @@
       4.  Tomcat: Past, Present, and Future
       5.  New Features In This Release
       6.  Known Bugs and Issues
  +    7.  Security Vulnerabilities Fixed in 3.2.1
   
   
   =============================================================================
  @@ -29,7 +30,17 @@
   You should read the License Agreement (in the LICENSE file of the top level
   directory), which applies to all software included in this release.
   
  +Tomcat Version 3.2.1 is a security related update!  See Section 7, below,
  +for details on the changes that have been made.  All other existing issues with
  +Tomcat 3.2 will remain in 3.2.1 -- they will be addressed in subsequent
  +maintenance updates (3.2.2, and so on).
  +
  +No changes to the native code components of Tomcat 3.2 have been made.
  +Therefore, you should *not* need to recompile components such as mod_jserv
  +in order to take advantage of this release.  You only need to replace the
  +Java based modules in the "jakarta-tomcat-3.2.*" distribution.
   
  +
   =============================================================================
   2.  INSTALLING AND RUNNING TOMCAT
   
  @@ -287,4 +298,35 @@
   
   Workaround:  kill the offending Tomcat process and correct your server.xml
   file such that there is a properly configured root context.
  +
  +
  +===============================================================================
  +7.  SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1
  +
  +
  +7.1 Protection of Resources in /WEB-INF and /META-INF Directories
  +
  +The servlet specification prohibits servlet containers from serving resources
  +in the /WEB-INF and /META-INF directories of a web application archive directly
  +to clients.  In Tomcat 3.2, this means that URLs like:
  +
  +   http://localhost:8080/examples/WEB-INF/web.xml
  +
  +will return an error message, rather than the contents of your deployment
  +descriptor.  However, there is a vulnerability in Tomcat 3.2 that exposes
  +this information if the client requests a URL like this instead:
  +
  +    http://localhost:8080/examples//WEB-INF/web.xml
  +
  +(note the double slash before "WEB-INF").  This vulnerability has been
  +corrected in Tomcat 3.2.1.
  +
  +
  +7.2 Show Source Vulnerability
  +
  +The example application delivered with Tomcat 3.2 included a mechanism to
  +display the source code for the JSP page examples.  This mechanism could
  +be used to bypass the restrictions on displaying sensitive information in
  +the WEB-INF and META-INF directories.  This vulnerability has been removed.
  +
   
  
  
  

Mime
View raw message