tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Tomcat 4.0-beta-2 Security Vulnerability
Date Mon, 02 Apr 2001 21:20:56 GMT
As you've seen from bug reports to BugTraq@securityfocus.com, the Beta 2
release of Tomcat 4.0 has a security vulnerability that can expose JSP
file source code.  A partial fix to this problem was implemented prior to
shipping beta 2, but it did not deal with all possible causes.

The actual bug (URL decoding the static file path in DefaultServlet even
though the container now does this) was fixed by Remy this morning, and I
just fixed the same vulnerability in the SSI servlet.  The question is,
what do we do about beta 2?

I suggest that we create a revised version of beta 2, clearly labelled so
that people will know whether they have the corrected version or not --
and we should do this immediately (like today) to minimize the number of
people who end up downloading twice.

I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or
something like that.

Comments?  Votes?

Craig



Mime
View raw message