remm 2002/09/24 04:46:36
Modified: docs index.html
docs/site binindex.html news.html
xdocs index.xml
xdocs/site binindex.xml news.xml
Log:
- Security bulletin.
- Tomcat 4.0.5 and 4.1.12 releases.
Revision Changes Path
1.150 +1 -0 jakarta-site2/docs/index.html
Index: index.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/index.html,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -r1.149 -r1.150
--- index.html 16 Sep 2002 22:37:53 -0000 1.149
+++ index.html 24 Sep 2002 11:46:36 -0000 1.150
@@ -153,6 +153,7 @@
<blockquote>
<p>
<ul>
+<li><a href="site/news.html#0924.1">24 September 2002 - <b>Security updates: Tomcat
4.1.12 Stable and Tomcat 4.0.5 Released</b></a></li>
<li><a href="site/news.html#0916.1">16 September 2002 - <b>Avalon-Phoenix 4.0
Released</b></a></li>
<li><a href="site/news.html#0912.1">12 September 2002 - <b>Commons Discovery 0.1
Released</b></a></li>
<li><a href="site/news.html#0906.1">06 September 2002 - <b>Tomcat 4.1.10 Stable
Released</b></a></li>
1.213 +2 -2 jakarta-site2/docs/site/binindex.html
Index: binindex.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/site/binindex.html,v
retrieving revision 1.212
retrieving revision 1.213
diff -u -r1.212 -r1.213
--- binindex.html 13 Sep 2002 04:21:52 -0000 1.212
+++ binindex.html 24 Sep 2002 11:46:36 -0000 1.213
@@ -225,8 +225,8 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/";>Taglibs</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/";>Tomcat
3.2.4</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/";>Tomcat
3.3.1</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4/";>Tomcat
4.0.4</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.10/";>Tomcat
4.1.10</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/";>Tomcat
4.0.5</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/";>Tomcat
4.1.12</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/";>Turbine
2.1</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/";>Velocity
1.2</a></li>
</ul>
1.227 +37 -1 jakarta-site2/docs/site/news.html
Index: news.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/site/news.html,v
retrieving revision 1.226
retrieving revision 1.227
diff -u -r1.226 -r1.227
--- news.html 16 Sep 2002 22:37:54 -0000 1.226
+++ news.html 24 Sep 2002 11:46:36 -0000 1.227
@@ -151,7 +151,43 @@
</td></tr>
<tr><td>
<blockquote>
- <a name="0916.1">
+ <a name="0924.1">
+<h3>24 September 2002 - Security updates: Tomcat 4.1.12 Stable and Tomcat 4.0.5
Released</h3>
+</a>
+ <p>
+ A security vulnerability has been confirmed to exist in all Apache Tomcat
+4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use
+a specially crafted URL to return the unprocessed source of a JSP page, or
+under special circumstances a static resource which would otherwise have been
+protected by security constraint, without the need of being properly
+authenticated.
+<br /><br />
+Using the invoker servlet in conjunction with the default servlet
+(responsible for handling static content in Tomcat) triggers this
+vulnerability. This particular configuration is available in the default
+Tomcat configuration. An easy workaround exists for existing Tomcat
+installation, by disabling the invoker servlet in the default webapp
+configuration.
+<br /><br />
+In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml),
comment out or remove the following XML fragment:
+<br />
+<code>
+ <servlet-mapping>
+ <servlet-name>invoker</servlet-name>
+ <url-pattern>/servlet/*</url-pattern>
+ </servlet-mapping>
+</code>
+<br /><br />
+The Apache Tomcat Team announces the immediate availability of new releases which
include a fix to the invoker servlet.
+<br />
+Binary and source distributions for Apache Tomcat 4.1.12 Stable are available
+<a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/";>here</a>.
+<br />
+Binary and source distributions for Apache Tomcat 4.0.5 are available
+<a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/";>here</a>.
+</p>
+ <hr size="1" noshade="noshade" />
+ <a name="0916.1">
<h3>16 September 2002 - Avalon-Phoenix 4.0 Released</h3>
</a>
<p>
1.112 +1 -0 jakarta-site2/xdocs/index.xml
Index: index.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/index.xml,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- index.xml 16 Sep 2002 22:35:09 -0000 1.111
+++ index.xml 24 Sep 2002 11:46:36 -0000 1.112
@@ -12,6 +12,7 @@
<section name="Product News">
<p>
<ul>
+<li><a href="site/news.html#0924.1">24 September 2002 - <b>Security updates: Tomcat
4.1.12 Stable and Tomcat 4.0.5 Released</b></a></li>
<li><a href="site/news.html#0916.1">16 September 2002 - <b>Avalon-Phoenix 4.0
Released</b></a></li>
<li><a href="site/news.html#0912.1">12 September 2002 - <b>Commons Discovery 0.1
Released</b></a></li>
<li><a href="site/news.html#0906.1">06 September 2002 - <b>Tomcat 4.1.10 Stable
Released</b></a></li>
1.177 +2 -2 jakarta-site2/xdocs/site/binindex.xml
Index: binindex.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/site/binindex.xml,v
retrieving revision 1.176
retrieving revision 1.177
diff -u -r1.176 -r1.177
--- binindex.xml 13 Sep 2002 04:21:53 -0000 1.176
+++ binindex.xml 24 Sep 2002 11:46:36 -0000 1.177
@@ -94,8 +94,8 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/";>Taglibs</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/";>Tomcat
3.2.4</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/";>Tomcat
3.3.1</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4/";>Tomcat
4.0.4</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.10/";>Tomcat
4.1.10</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/";>Tomcat
4.0.5</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/";>Tomcat
4.1.12</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/";>Turbine
2.1</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/";>Velocity
1.2</a></li>
</ul>
1.197 +37 -0 jakarta-site2/xdocs/site/news.xml
Index: news.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/site/news.xml,v
retrieving revision 1.196
retrieving revision 1.197
diff -u -r1.196 -r1.197
--- news.xml 16 Sep 2002 22:35:09 -0000 1.196
+++ news.xml 24 Sep 2002 11:46:36 -0000 1.197
@@ -11,6 +11,43 @@
<section name="News & Status">
+<a name="0924.1">
+<h3>24 September 2002 - Security updates: Tomcat 4.1.12 Stable and Tomcat 4.0.5
Released</h3>
+</a>
+<p>
+ A security vulnerability has been confirmed to exist in all Apache Tomcat
+4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use
+a specially crafted URL to return the unprocessed source of a JSP page, or
+under special circumstances a static resource which would otherwise have been
+protected by security constraint, without the need of being properly
+authenticated.
+<br/><br/>
+Using the invoker servlet in conjunction with the default servlet
+(responsible for handling static content in Tomcat) triggers this
+vulnerability. This particular configuration is available in the default
+Tomcat configuration. An easy workaround exists for existing Tomcat
+installation, by disabling the invoker servlet in the default webapp
+configuration.
+<br/><br/>
+In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml),
comment out or remove the following XML fragment:
+<br/>
+<code>
+ <servlet-mapping>
+ <servlet-name>invoker</servlet-name>
+ <url-pattern>/servlet/*</url-pattern>
+ </servlet-mapping>
+</code>
+<br/><br/>
+The Apache Tomcat Team announces the immediate availability of new releases which
include a fix to the invoker servlet.
+<br/>
+Binary and source distributions for Apache Tomcat 4.1.12 Stable are available
+<a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/";>here</a>.
+<br/>
+Binary and source distributions for Apache Tomcat 4.0.5 are available
+<a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/";>here</a>.
+</p>
+<hr size="1" noshade="noshade" />
+
<a name="0916.1">
<h3>16 September 2002 - Avalon-Phoenix 4.0 Released</h3>
</a>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
