tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: [ANN] Security update: Apache Tomcat 3.3.1a released
Date Sun, 26 Jan 2003 10:29:51 GMT
I'm assuming that this was actually voted on in some list (certainly not
this one).  I'd just like to add my -0 vote (only because a -1 is pointless
now :).  The 3.3 branch needs to have a 3.3.2 release, and IMHO, a 3.3.1a
release is just a waste of time.

----- Original Message -----
From: "Larry Isaacs" <Larry.Isaacs@sas.com>
To: <tomcat-user@jakarta.apache.org>; <tomcat-dev@jakarta.apache.org>;
<announcements@jakarta.apache.org>
Sent: Saturday, January 25, 2003 8:30 PM
Subject: [ANN] Security update: Apache Tomcat 3.3.1a released


Tomcat 3.3.1a has been released to address the following two
vulnerabilities found in Tomcat 3.3.1 and earlier.  This
includes Tomcat 3.2.4 and earlier.

Tomcat 4.0.4, 4.0.6, 4.1.12, 4.1.18, and 4.1.19 have been
checked and do not have these vulnerabilities.

Vulnerability where, when used with JDK 1.3.1 or earlier, a
maliciously crafted request could return a directory listing
even when an index.html, index.jsp, or other welcome file is
present. File contents can be returned as well.  In the case
of Tomcat 3.2.4 and earlier, contents of files under WEB-INF
could be accessed.  If you are using Tomcat 3.3.1 or earlier
with JDK 1.3.1 or earlier, you should either upgrade to JDK 1.4
or later, or upgrade your Tomcat installation to Tomcat 3.3.1a
or a current release of Tomcat 4.

Vulnerability where a malicious web application could read the
contents of some files outside the web application via its web.xml
file in spite of the presence of a security manager. The content
of files that can be read as part of an XML document would be
accessible. If you are running Tomcat 3.3.1 or earlier with a
security manager, and are serving web applications whose web.xml
content is not known to be safe, you should upgrade your Tomcat
installation to 3.3.1a or a current release of Tomcat 4.

You may download Tomcat 3.3.1a binaries and updated jars from:
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/bin/

Other Tomcat downloads may be obtained from:
http://jakarta.apache.org/site/binindex.cgi

These vulnerabilities have been fixed in the current Tomcat 3.3.2-dev
files found at:
http://jakarta.apache.org/builds/jakarta-tomcat/nightly-3.3.x/

Larry

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message