Tomcat 3.3.1a has been released to address the following two vulnerabilities found in Tomcat 3.3.1 and earlier. This includes Tomcat 3.2.4 and earlier.
Tomcat 4.0.4, 4.0.6, 4.1.12, 4.1.18, and 4.1.19 have been checked and do not have these vulnerabilities. Vulnerability where, when used with JDK 1.3.1 or earlier, a maliciously crafted request could return a directory listing even when an index.html, index.jsp, or other welcome file is present. File contents can be returned as well. In the case of Tomcat 3.2.4 and earlier, contents of files under WEB-INF could be accessed. If you are using Tomcat 3.3.1 or earlier with JDK 1.3.1 or earlier, you should either upgrade to JDK 1.4 or later, or upgrade your Tomcat installation to Tomcat 3.3.1a or a current release of Tomcat 4. Vulnerability where a malicious web application could read the contents of some files outside the web application via its web.xml file in spite of the presence of a security manager. The content of files that can be read as part of an XML document would be accessible. If you are running Tomcat 3.3.1 or earlier with a security manager, and are serving web applications whose web.xml content is not known to be safe, you should upgrade your Tomcat installation to 3.3.1a or a current release of Tomcat 4. You may download Tomcat 3.3.1a binaries and updated jars from: http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/bin/ Other Tomcat downloads may be obtained from: http://jakarta.apache.org/site/binindex.cgi These vulnerabilities have been fixed in the current Tomcat 3.3.2-dev files found at: http://jakarta.apache.org/builds/jakarta-tomcat/nightly-3.3.x/ Larry -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>