Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 84809 invoked by uid 500); 12 Dec 2000 21:01:46 -0000 Delivered-To: apmail-jakarta-tomcat-cvs@apache.org Received: (qmail 84785 invoked by uid 1059); 12 Dec 2000 21:01:43 -0000 Date: 12 Dec 2000 21:01:43 -0000 Message-ID: <20001212210143.84784.qmail@locus.apache.org> From: craigmcc@locus.apache.org To: jakarta-tomcat-cvs@apache.org Subject: cvs commit: jakarta-tomcat/src/doc readme craigmcc 00/12/12 13:01:42 Modified: src/doc Tag: tomcat_32 readme Log: Update release notes for Tomcat 3.2.1. Revision Changes Path No revision No revision 1.8.2.11 +43 -1 jakarta-tomcat/src/doc/readme Index: readme =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.10 retrieving revision 1.8.2.11 diff -u -r1.8.2.10 -r1.8.2.11 --- readme 2000/12/04 18:47:05 1.8.2.10 +++ readme 2000/12/12 21:01:41 1.8.2.11 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.10 2000/12/04 18:47:05 craigmcc Exp $ +$Id: readme,v 1.8.2.11 2000/12/12 21:01:41 craigmcc Exp $ Release Notes for: ==================== @@ -14,6 +14,7 @@ 4. Tomcat: Past, Present, and Future 5. New Features In This Release 6. Known Bugs and Issues + 7. Security Vulnerabilities Fixed in 3.2.1 ============================================================================= @@ -29,7 +30,17 @@ You should read the License Agreement (in the LICENSE file of the top level directory), which applies to all software included in this release. +Tomcat Version 3.2.1 is a security related update! See Section 7, below, +for details on the changes that have been made. All other existing issues with +Tomcat 3.2 will remain in 3.2.1 -- they will be addressed in subsequent +maintenance updates (3.2.2, and so on). + +No changes to the native code components of Tomcat 3.2 have been made. +Therefore, you should *not* need to recompile components such as mod_jserv +in order to take advantage of this release. You only need to replace the +Java based modules in the "jakarta-tomcat-3.2.*" distribution. + ============================================================================= 2. INSTALLING AND RUNNING TOMCAT @@ -287,4 +298,35 @@ Workaround: kill the offending Tomcat process and correct your server.xml file such that there is a properly configured root context. + + +=============================================================================== +7. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1 + + +7.1 Protection of Resources in /WEB-INF and /META-INF Directories + +The servlet specification prohibits servlet containers from serving resources +in the /WEB-INF and /META-INF directories of a web application archive directly +to clients. In Tomcat 3.2, this means that URLs like: + + http://localhost:8080/examples/WEB-INF/web.xml + +will return an error message, rather than the contents of your deployment +descriptor. However, there is a vulnerability in Tomcat 3.2 that exposes +this information if the client requests a URL like this instead: + + http://localhost:8080/examples//WEB-INF/web.xml + +(note the double slash before "WEB-INF"). This vulnerability has been +corrected in Tomcat 3.2.1. + + +7.2 Show Source Vulnerability + +The example application delivered with Tomcat 3.2 included a mechanism to +display the source code for the JSP page examples. This mechanism could +be used to bypass the restrictions on displaying sensitive information in +the WEB-INF and META-INF directories. This vulnerability has been removed. +