GLSA: tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200210-001 - - PACKAGE : tomcat SUMMARY : source disclosure EXPLOIT : remote DATE : 2002-10-15 08:15 UTC - - A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was disclosed on 09/24/2002. Read the full disclosure at http://marc.theaimsgroup.com/?l=tomcat-devm=103417249325526w=2 SOLUTION It is recommended that all Gentoo Linux users who are running net-www/tomcat-4.0.5 and earlier update their systems as follows: emerge rsync emerge tomcat emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9q85zfT7nyhUpoZMRAripAKC2pwD2g82Np0cal/0afanM4mfVCgCfbx9o dNLvNJOnmcq3QcvT/S4D3wQ= =6MID -END PGP SIGNATURE-
GLSA: tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT - - PACKAGE:tomcat SUMMARY:source exposure DATE :2002-09-25 11:30 UTC - - OVERVIEW Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are vulnerable to source code exposure by using the default servlet org.apache.catalina.servlets.DefaultServlet. DETAIL Let say you have valid URL like http://my.site/login.jsp, then an URL like http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp will give you the source code of the JSP page. The full syntaxes of the exposure URL is: http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet /[context_relative_path/]file_name.jsp More information can be found at: http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0 SOLUTION It is recommended that all Gentoo Linux users who are running net-www/tomcat-4.04 and earlier update their systems as follows: emerge rsync emerge tomcat emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9kaeOfT7nyhUpoZMRAjecAJwLLkCyj/iVWlRFN+1RrzR4oo9dlQCgi1PV DTRyRrBXhKFbP7+ScPIx2A8= =S0kw -END PGP SIGNATURE-