tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 13365] - JSP source disclosure vulnerability not fixed when invoking servlets by name
Date Wed, 09 Oct 2002 14:23:41 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365

JSP source disclosure vulnerability not fixed when invoking servlets by name

remm@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From remm@apache.org  2002-10-09 14:23 -------
Ok, this is fixed in all branches, and Tomcat 4.0.6 has been released (the
default Tomcat 4.0.5 installation was vulnerable).

However, NEVER EVER DISCUSS A POTENTIAL SECURITY PROBLEM ON A PUBLIC
COMMUNICATION CHANNEL, because this puts all Tomcat users at risk. The Tomcat
Team also cannot release a new version within minutes a security problem is
published. Thanks. There are *private* mailing lists for that (security at
apache.org), and you will be given all the credit you want or deserve.

I used the patch submitted as a patch which can be applied to Tomcat 4.0.5 to
resolve the problem without upgrading to 4.0.6.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message