tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: [ANN] Apache Tomcat 4.1.27 Stable released
Date Thu, 07 Aug 2003 18:03:39 GMT
NAIK,ROSHAN (HP-Cupertino,ex1) wrote:

> Hi Remy,
> Are these security bugs existing in all versions of Tomcat 4
> prior to 4.1.27 ? Or was there a version of Tomcat where these 
> were introduced ? I couldnt find the reference to these security
> issues on the tomcat web site section mentioning the 4.1.27 release. 
> This information will be very much useful since we may need to
> redeploy our free HPUX Tomcat distribution to customers.

Ok, cool.

>>The Tomcat Team announces the immediate availability of Apache Tomcat 
>>4.1.27 Stable. Among other bugfixes and improvements, Tomcat 4.1.27 
>>includes security fixes for:
>>- Improper recycling of SSL client certificates with Coyote JK 2

That could have been introduced in a previous release. Bill or Costin 
could probably give a straight answer.

>>- Improper handling of invalid content lengths in requests, 
>>causing HTTP 
>>processors to be left in an invalid state in Coyote HTTP/1.1, 
>>causing a 
>>DoS condition

That always existed in Coyote HTTP/1.1 shipped with Tomcat 4.1.x.

>>- URI normalization bug in Coyote


>>- Improper handling of certain URLs in Coyote JK 2, causing a 
>>DoS condition

I believe this always existed in Coyote JK 2, but Bill or Costin have 
more knowledge of the issue.


View raw message