tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <r...@apache.org>
Subject [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
Date Sat, 02 Mar 2002 03:33:08 GMT
A security vulnerability affecting the sandboxing provided by the Java
Security Manager has been discovered. The request dipatcher functionality of
the Servlet API could be used by a malicious servlet or JSP page to get
access to any resource located on the server's filesystem, bypassing the
Security Manager protection.

Note: People who are not using Tomcat with the Security Manager are not
affected by this problem, and do not need to upgrade.

Tomcat 4.0.3 has been released, and is identical to Tomcat 4.0.2 with the
only change being the fix for the problem described above:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/

The security patch can also be downloaded as a binary patch for Tomcat 4.0.2
and can be applied to an existing Tomcat 4.0.2 installation:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi
x/

The source code for the hotfix is included in the archive.

The upcoming Tomcat 4.0.4 Beta 1 release will also include this fix.

Issue report:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772

Remy



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message