tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aron Kramlik <aron.kram...@tenzing.com>
Subject RE: [ANNOUNCEMENT] Security Related Updates - Tomcat 3.1.1 and To mcat 3.2.1
Date Wed, 13 Dec 2000 01:36:20 GMT
Has there been a definitive list of these security problems with
TC 3.1 or TC 3.2?

What are the "appropriate contents" of the $TOMCAT_HOME directory
that I need to replace for both TC 3.1 and TC 3.2?

Aron Kramlik.



-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Tuesday, December 12, 2000 4:32 PM
To: announcements@jakarta.apache.org; general@jakarta.apache.org;
tomcat-dev@jakarta.apache.org; tomcat-user@jakarta.apache.org
Subject: [ANNOUNCEMENT] Security Related Updates - Tomcat 3.1.1 and
Tomcat 3.2.1


Recent investigations and reports have revealed security vulnerabilities in
both
Tomcat 3.1 and Tomcat 3.2 final releases.  To deal with these problems, the
Tomcat team has developed maintenance releases, and recommended actions, for
each major version.  (Tomcat 4.0 milestone 4 shares one of these
vulnerabilities
that will be fixed in the upcoming milestone 5 release, which is imminent.)


TOMCAT 3.1 USERS

* There are seven identified vulnerabilities that are documented in the
  Release Notes for Tomcat 3.1.1 (file "doc/readme" in the distribution).

* To deal with these problems for users who are unable to upgrade,
  a maintenance release, Tomcat 3.1.1, has been prepared.  You can
  download it at:

    http://jakarta.apache.org/builds/tomcat/release/v3.1.1/bin/

* This release fixes ***only*** the identified security vulnerabilities.  It
does
  not address any of the other bugs that exist in Tomcat 3.1.  No future
  maintenance release of Tomcat 3.1 is planned to deal with these issues.

* You are ***strongly*** encouraged to upgrade to Tomcat 3.2.1 as quickly
  as possible.  In doing so, you will benefit from these security
vulnerabilities
  being fixed, performance improvements, new features, and a large number
  of non-security related bug fixes.  See below for the download URL.

* In the event that you are not able to upgrade immediately, the corrective
  action is to download the binary distribution, and replace the appropriate
  contents in the $TOMCAT_HOME directory.  There is no need to modify
  any of the binary components (such as the mod_jserv component used to
  connect Tomcat to Apache).

* In addition, if you have not removed it already (or built your own
security
  mechanisms to protect it), you should remove the Tomcat 3.1
  administrative application by deleting the $TOMCAT_HOME/webapps/admin
  directory.


TOMCAT 3.2 USERS

* There are two identified vulnerabilities that are documented in the
  Release Notes for Tomcat 3.2.1 (file "doc/readme" in the distribution).
  These vulnerabilities have been fixed in Tomcat 3.2.1.

* You can download this security maintenance release at:

    http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/

* You are ***strongly*** encouraged to download and install this
  update as quickly as possible.

* This release fixes ***only*** the identified security vulnerabilities.
  It does not address any of the other bugs, or feature requests, related
  to Tomcat 3.2 final.  These issues will be dealt with in future
  maintenance releases of Tomcat 3.2 as appropriate.

* The corrective action is to download the binary distribution, and
  replace the appropriate contents in the $TOMCAT_HOME directory.
  There is no need to modify any of the binary components (such as the
  mod_jserv component used to connect Tomcat to Apache).


Craig McClanahan


Mime
View raw message