Hi,
Having just dealt with the issue below I was thinking where else, other than the Tomcat User mailing list this information needed to be sent? That got me thinking about the wider issue of handling security issues at Jakarta/Apache. I went looking for, but failed to find, answers to the following questions:
1. Does anyone monitor the issues reported to [EMAIL PROTECTED] to ensure that they are evaluated and, if necessary addressed, in a timely manner? If yes, who? If not, should we?
2. Do we publish anywhere a list of known security issues and their associated fixes? If yes, where? If not, should we?
Does anyone here know the answers to these questions?
Mark
-------- Original Message -------- From: Mark Thomas <[EMAIL PROTECTED]>
All,
A security issue has come to light where a mal-formed request may result in JSP source code disclosure.
This issue only applies if all of the following are true: 1. You are using any Tomcat 4 version >= 4.1.15 2. You are using the deprecated HTTP 1.1 connector (org.apache.catalina.connector.http.HttpConnector) 3. You have configured 1 or more contexts served by the connector with a resources element that uses the allowLinking parameter and this parameter is set to true.
The fix is to use the Coyote HTTP connector (org.apache.coyote.tomcat4.CoyoteConnector).
The on-line Tomcat 4 docs have been updated to include a warning about this configuration combination. The next Tomcat 4 release will include the updated documentation.
If you are using Tomcat 4 with the standard Coyote HTTP connector this issue does not apply.
Tomcat 5.0.x and 5.5.x are unaffected by this issue.
Thanks are due to Glenn Choat who reported this issue to the Tomcat team last week.
As a reminder, if you have a verified security bug to report please do not post it to email lists or submit a bug report. Security bugs should be reported privately by email to [EMAIL PROTECTED]
Regards,
Mark
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
