DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365 JSP source disclosure vulnerability not fixed when invoking servlets by name [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From [EMAIL PROTECTED] 2002-10-09 14:23 ------- Ok, this is fixed in all branches, and Tomcat 4.0.6 has been released (the default Tomcat 4.0.5 installation was vulnerable). However, NEVER EVER DISCUSS A POTENTIAL SECURITY PROBLEM ON A PUBLIC COMMUNICATION CHANNEL, because this puts all Tomcat users at risk. The Tomcat Team also cannot release a new version within minutes a security problem is published. Thanks. There are *private* mailing lists for that (security at apache.org), and you will be given all the credit you want or deserve. I used the patch submitted as a patch which can be applied to Tomcat 4.0.5 to resolve the problem without upgrading to 4.0.6. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>