Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 48993 invoked by uid 500); 2 Apr 2001 21:21:06 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: tomcat-dev@jakarta.apache.org Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 48646 invoked by uid 1059); 2 Apr 2001 21:20:57 -0000 Date: Mon, 2 Apr 2001 14:20:56 -0700 (PDT) From: "Craig R. McClanahan" X-Sender: craigmcc@localhost To: tomcat-dev@jakarta.apache.org Subject: Tomcat 4.0-beta-2 Security Vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N As you've seen from bug reports to BugTraq@securityfocus.com, the Beta 2 release of Tomcat 4.0 has a security vulnerability that can expose JSP file source code. A partial fix to this problem was implemented prior to shipping beta 2, but it did not deal with all possible causes. The actual bug (URL decoding the static file path in DefaultServlet even though the container now does this) was fixed by Remy this morning, and I just fixed the same vulnerability in the SSI servlet. The question is, what do we do about beta 2? I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? Craig