Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Message-ID: <3F32947B.8060501@apache.org>
Date: Thu, 07 Aug 2003 20:03:39 +0200
From: Remy Maucherat <remm@apache.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.4) Gecko/20030624
MIME-Version: 1.0
To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
Subject: Re: [ANN] Apache Tomcat 4.1.27 Stable released
References: <123E41AA62E54346A34828E6646156735FDB62@xsun03.ptp.hp.com>
In-Reply-To: <123E41AA62E54346A34828E6646156735FDB62@xsun03.ptp.hp.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

NAIK,ROSHAN (HP-Cupertino,ex1) wrote:

> Hi Remy,
> Are these security bugs existing in all versions of Tomcat 4
> prior to 4.1.27 ? Or was there a version of Tomcat where these 
> were introduced ? I couldnt find the reference to these security
> issues on the tomcat web site section mentioning the 4.1.27 release. 
> This information will be very much useful since we may need to
> redeploy our free HPUX Tomcat distribution to customers.

Ok, cool.

>>The Tomcat Team announces the immediate availability of Apache Tomcat 
>>4.1.27 Stable. Among other bugfixes and improvements, Tomcat 4.1.27 
>>includes security fixes for:
>>
>>- Improper recycling of SSL client certificates with Coyote JK 2

That could have been introduced in a previous release. Bill or Costin 
could probably give a straight answer.

>>- Improper handling of invalid content lengths in requests, 
>>causing HTTP 
>>processors to be left in an invalid state in Coyote HTTP/1.1, 
>>causing a 
>>DoS condition

That always existed in Coyote HTTP/1.1 shipped with Tomcat 4.1.x.

>>- URI normalization bug in Coyote

Idem.

>>- Improper handling of certain URLs in Coyote JK 2, causing a 
>>DoS condition

I believe this always existed in Coyote JK 2, but Bill or Costin have 
more knowledge of the issue.

Remy