A denial-of-service vulnerability was recently discovered affecting Tomcat 3.3 running on Windows systems. A special HTTP request can cause the request to hang and never complete. This prevents the thread handling the request from handling any further requests until Tomcat is restarted. Other systems are not affected, and both Tomcat 3.2.x and Tomcat 4.x do not have this vulnerability.
The Tomcat 3.3 site now contains Tomcat version 3.3a which has a minimum of changes needed to avoid the vulnerability. In addition to the full binary distribution, jars are available so that an existing Tomcat 3.3 site may be updated. For details, see: <http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3/bin/> It is recommended that everyone using Tomcat 3.3 on Windows systems upgrade to 3.3a using the binary distribution or update jar(s). Updated source is also available, and may be found here: <http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3/src/> For consistency, affected RPMs have been updated to 3.3a. Since only Windows systems are vulnerable, updating is optional. For those who do not require an officially released version, you are welcome to consider using the current Tomcat 3.3.1-dev release. Since Tomcat 3.3.x is in maintenance mode, no major changes have occurred since Tomcat 3.3 Final's release. You should find 3.3.1-dev as stable as 3.3 and more bug free. To view what has been done so far, see: <http://cvs.apache.org/viewcvs/jakarta-tomcat/RELEASE-NOTES-3.3.1.txt?rev=1.22&content-type=text/vnd.viewcvs-markup> The binary distribution for Tomcat 3.3.1-dev may be found at: <http://jakarta.apache.org/builds/jakarta-tomcat/nightly-3.3.x/> Work is underway to bring Tomcat 3.3.1 to a release. Hopefully in the next two to three weeks. Larry Isaacs -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>