tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@apache.org
Subject cvs commit: jakarta-tomcat-4.0/webapps/ROOT index.html
Date Tue, 15 May 2001 02:50:12 GMT
craigmcc    01/05/14 19:50:12

  Modified:    .        RELEASE-NOTES-4.0-B5.txt
               catalina/src/share/org/apache/catalina Globals.java
               webapps/ROOT index.html
  Log:
  Update release notes and public identifiers for "Tomcat 4.0-b5".
  
  Revision  Changes    Path
  1.2       +49 -1     jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B5.txt
  
  Index: RELEASE-NOTES-4.0-B5.txt
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B5.txt,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- RELEASE-NOTES-4.0-B5.txt	2001/05/11 05:55:11	1.1
  +++ RELEASE-NOTES-4.0-B5.txt	2001/05/15 02:50:09	1.2
  @@ -3,7 +3,7 @@
                               Release Notes
                               =============
   
  -$Id: RELEASE-NOTES-4.0-B5.txt,v 1.1 2001/05/11 05:55:11 craigmcc Exp $
  +$Id: RELEASE-NOTES-4.0-B5.txt,v 1.2 2001/05/15 02:50:09 craigmcc Exp $
   
   
   ============
  @@ -22,6 +22,26 @@
   Please report bugs and feature requests under product name "Tomcat 4".
   
   
  +----> SECURITY ALERT:  Two security-related problems were discovered in
  +----> the Tomcat 4.0-b4 release which was announced on 05/11/2001.  These
  +----> vulnerabilities have been fixed in this beta release.  Anyone who
  +----> downloaded and installed Tomcat 4.0-b4 is urged to upgrade to this
  +----> new release immediately.
  +
  +
  +----> UPCOMING CHANGE NOTICE:  In a future beta release of Tomcat 4.0, it
  +----> is likely that the default operational mode will be to run Tomcat
  +----> under a security manager (rather than the current default of not
  +----> using one).  This may necessitate editing the policy permissions
  +----> file ($CATALINA_HOME/conf/catalina.policy) if your web applications
  +----> require permissions that are not enabled by default (such as connecting
  +----> to network ports).  You are urged to test your applications with
  +----> Tomcat 4.0-b5 running under the security manager now, so that this
  +----> upcoming change will not be disruptive.  To do so, start Tomcat 4.0
  +----> with the command "$CATALINA_HOME/bin/catalina.sh start -security"
  +----> (Unix) or "%CATALINA_HOME%\bin\catalina start -security" (Windows).
  +
  +
   ============
   NEW FEATURES:
   ============
  @@ -31,7 +51,15 @@
   Catalina New Features:
   ---------------------
   
  +Facades:  The servlet API implementation objects that are passed to a servlet
  +are now protected by facades.  This avoids a security vulnerability (that
  +existed only when Tomcat 4.0 was *not* run under a security manager) that
  +allowed servlets to call arbitrary public methods on these classes via Java
  +reflection.  NOTE:  While facades solve this particular problem, servlets can
  +do many other negative things (like shutting down Tomcat by executing
  +System.exit(0)) unless you run Tomcat under a security manager.  
   
  +
   -------------------
   Jasper New Features:
   -------------------
  @@ -50,6 +78,26 @@
   ------------------
   Catalina Bug Fixes:
   ------------------
  +
  +JSP Source Exposure Vulnerability:  Previous versions of Tomcat would expose
  +the source code to a JSP page, on some JDK platforms, when a request URL like
  +this was processed:
  +    http://localhost:8080/examples/jsp/num/numguess.jsp%00
  +The problem occurs because the null character (%00) causes extension mapping
  +to fail, so this URL is passed to the default file-serving servlet.  If the
  +web application is running in an unpacked directory structure, the JDK's
  +implementation of the File I/O methods is typically written in C, and the C
  +runtimes will not have any problem treating the null character as a filename
  +terminator.  Now, Tomcat 4.0 will throw HTTP error 400 (bad request) if you
  +use invalid characters (including %00) in your request URLs.
  +
  +StandardClassLoader:  Correct resource existence checks when using a URL.
  +This was causing automatic class reloading to fail in some cases.
  +
  +Bootstrap:  Preload additional classes necessary to pass all unit test and
  +Watchdog tests (and run many other test applications) when a security manager
  +is enabled.  Previously, problems could occur with
  +ServletContext.getResourcePaths() and ServletResponse.setLocale().
   
   
   ----------------
  
  
  
  1.26      +5 -5      jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java
  
  Index: Globals.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -r1.25 -r1.26
  --- Globals.java	2001/05/11 05:55:13	1.25
  +++ Globals.java	2001/05/15 02:50:10	1.26
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
1.25 2001/05/11 05:55:13 craigmcc Exp $
  - * $Revision: 1.25 $
  - * $Date: 2001/05/11 05:55:13 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
1.26 2001/05/15 02:50:10 craigmcc Exp $
  + * $Revision: 1.26 $
  + * $Date: 2001/05/15 02:50:10 $
    *
    * ====================================================================
    *
  @@ -69,7 +69,7 @@
    * Global constants that are applicable to multiple packages within Catalina.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.25 $ $Date: 2001/05/11 05:55:13 $
  + * @version $Revision: 1.26 $ $Date: 2001/05/15 02:50:10 $
    */
   
   public final class Globals {
  @@ -201,7 +201,7 @@
       /**
        * The descriptive information about this server and version.
        */
  -    public static final String SERVER_INFO = "Apache Tomcat/4.0-b5-dev";
  +    public static final String SERVER_INFO = "Apache Tomcat/4.0-b5";
   
   
       /**
  
  
  
  1.18      +2 -2      jakarta-tomcat-4.0/webapps/ROOT/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/ROOT/index.html,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- index.html	2001/05/11 05:55:16	1.17
  +++ index.html	2001/05/15 02:50:11	1.18
  @@ -4,13 +4,13 @@
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="GENERATOR" content="Mozilla/4.72 [en] (WinNT; U) [Netscape]">
   <meta name="Author" content="Anil K. Vijendran">
  -<title>Tomcat (v4.0-b5-dev)</title>
  +<title>Tomcat (v4.0-b5)</title>
   </head>
   <body bgcolor="#FFFFFF">
   <img SRC="tomcat.gif" height=92 width=130 align=LEFT><b><font face="Arial,
Helvetica, sans-serif"><font size=+3>Tomcat</font></font></b>
   <br>
   <b><font face="Arial, Helvetica, sans-serif"><font size=-1>Version
  -4.0-b5-dev</font></font></b>
  +4.0-b5</font></font></b>
   <p>This is the default Tomcat home page. This page serves as a quick reference
   guide to related resources and is located at:
   <ul>
  
  
  

Mime
View raw message