tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: [ANN] Apache Tomcat 4.1.27 Stable released
Date Thu, 07 Aug 2003 18:28:28 GMT

----- Original Message -----
From: "Remy Maucherat" <remm@apache.org>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Thursday, August 07, 2003 11:03 AM
Subject: Re: [ANN] Apache Tomcat 4.1.27 Stable released


> NAIK,ROSHAN (HP-Cupertino,ex1) wrote:
>
> > Hi Remy,
> > Are these security bugs existing in all versions of Tomcat 4
> > prior to 4.1.27 ? Or was there a version of Tomcat where these
> > were introduced ? I couldnt find the reference to these security
> > issues on the tomcat web site section mentioning the 4.1.27 release.
> > This information will be very much useful since we may need to
> > redeploy our free HPUX Tomcat distribution to customers.
>
> Ok, cool.
>
> >>The Tomcat Team announces the immediate availability of Apache Tomcat
> >>4.1.27 Stable. Among other bugfixes and improvements, Tomcat 4.1.27
> >>includes security fixes for:
> >>
> >>- Improper recycling of SSL client certificates with Coyote JK 2
>
> That could have been introduced in a previous release. Bill or Costin
> could probably give a straight answer.

This was introduced in 4.1.18, along with another bug that caused client
certificates to not work at all (and which masked this bug).

>
> >>- Improper handling of invalid content lengths in requests,
> >>causing HTTP
> >>processors to be left in an invalid state in Coyote HTTP/1.1,
> >>causing a
> >>DoS condition
>
> That always existed in Coyote HTTP/1.1 shipped with Tomcat 4.1.x.
>
> >>- URI normalization bug in Coyote
>
> Idem.
>
> >>- Improper handling of certain URLs in Coyote JK 2, causing a
> >>DoS condition
>
> I believe this always existed in Coyote JK 2, but Bill or Costin have
> more knowledge of the issue.

Without checking the CVS logs, I believe that this has always existed in
4.1.  It's certainly been there since the first stable release of 4.1.x.

>
> Remy
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


Mime
View raw message