tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Stevens <>
Subject Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2
Date Tue, 12 Dec 2000 02:53:56 GMT
on 12/11/2000 5:19 PM, "Craig R. McClanahan" <>

> Over the last three days, a review of published and soon-to-be-published
> reports
> of security vulnerabilities in Tomcat has uncovered a series of problems in
> the
> 3.1 final release, and a couple of less serious (but still significant)
> problems
> in 3.2.  Please vote (quickly) on the following two issues:
> Proposal #1:  Release a Tomcat 3.1.1 that fixes *only* the security problems
> I have just posted a CVS commit that fixes the security vulnerabilities that I
> know about, plus a release notes document (src/doc/readme) that describes what
> was changed.  I propose to create and announce an official release that
> reflects
> these changes.
> Note that there are no other functionality or bug fixes changes to 3.1 being
> proposed, nor (IMHO) are any non-security-related fixes likely to be
> forthcoming
> in the future.  Therefore, I would propose to include a "strong encouragement"
> for existing 3.1 users to update to 3.2 in order to benefit from the bug fixes
> and security enhancements that it includes.

I think that we should just ask people to upgrade to 3.2.x

> Proposal #2:  Release a Tomcat 3.2.1 that fixes the following security
> problems
> plus the patches committed to date.
> Tomcat 3.2 final has the following security vulnerabilities that have
> subsequently been fixed in the CVS repository:
> * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> expose sensitive information (note the double slash after "examples").
> * The "Show Source" custom tag used to display JSP source code can
> be used to expose sensitive information in WEB-INF.


> I propose that we cut a Tomcat 3.2.1 release that includes these two fixes,
> plus
> other bug fixes that have been committed to date.  Additional bug fixes that
> have been proposed but not yet committed can be included in a subsequent 3.2.2
> release.


> PS:  Tomcat 4.0-m4 is vulnerable to the first of the two problems listed above
> for 3.2 -- a fix has been posted, and will be included in the previously
> announced milestone 5 release that is imminenet.



Honk if you love peace and quiet.

View raw message