remm 2002/10/09 07:06:56
Modified: docs index.html
docs/site binindex.html news.html sourceindex.html
xdocs index.xml
xdocs/site binindex.xml news.xml sourceindex.xml
Log:
- Tomcat 4.0.6 release.
Revision Changes Path
1.156 +1 -0 jakarta-site2/docs/index.html
Index: index.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/index.html,v
retrieving revision 1.155
retrieving revision 1.156
diff -u -r1.155 -r1.156
--- index.html 8 Oct 2002 15:29:57 -0000 1.155
+++ index.html 9 Oct 2002 14:06:55 -0000 1.156
@@ -153,6 +153,7 @@
<blockquote>
<p>
<ul>
+<li><a href="site/news.html#1009.1">09 October 2002 - <b>Security update: Tomcat
4.0.6 Released</b></a></li>
<li><a href="site/news.html#1004.1">04 October 2002 - <b>Commons Lang 1.0
Released</b></a></li>
<li><a href="site/news.html#1003.1">03 October 2002 - <b>Ant 1.5.1
Released</b></a></li>
<li><a href="site/news.html#0927.1">27 September 2002 - <b>Commons Logging 1.0.2
Released</b></a></li>
1.218 +1 -1 jakarta-site2/docs/site/binindex.html
Index: binindex.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/site/binindex.html,v
retrieving revision 1.217
retrieving revision 1.218
diff -u -r1.217 -r1.218
--- binindex.html 4 Oct 2002 22:29:19 -0000 1.217
+++ binindex.html 9 Oct 2002 14:06:55 -0000 1.218
@@ -226,7 +226,7 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/";>Taglibs</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/";>Tomcat
3.2.4</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/";>Tomcat
3.3.1</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/";>Tomcat
4.0.5</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/";>Tomcat
4.0.6</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/";>Tomcat
4.1.12</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/";>Turbine
2.1</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/";>Velocity
1.2</a></li>
1.232 +61 -1 jakarta-site2/docs/site/news.html
Index: news.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/site/news.html,v
retrieving revision 1.231
retrieving revision 1.232
diff -u -r1.231 -r1.232
--- news.html 4 Oct 2002 22:29:19 -0000 1.231
+++ news.html 9 Oct 2002 14:06:55 -0000 1.232
@@ -151,7 +151,67 @@
</td></tr>
<tr><td>
<blockquote>
- <a name="1004.1">
+ <a name="1009.1">
+<h3>9 October 2002 - Tomcat 4.0.6 Released.</h3>
+</a>
+ <p>
+A security vulnerability has been confirmed to exist in Apache Tomcat
+4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
+crafted URL to return the unprocessed source of a JSP page, or, under
+special circumstances, a static resource which would otherwise have been
+protected by security constraint, without the need for being properly
+authenticated. This is based on a variant of the exploit that was
+disclosed on 09/24/2002.
+</p>
+ <p>
+<b>Who is vulnerable</b>
+<ul>
+<li>All Tomcat 4.0.x releases, except those in which the invoker servlet
+is disabled (this is not the default setting).</li>
+<li>All Tomcat 4.1.x releases before 4.1.12, except those in which the
+invoker servlet is disabled (this is not the default setting), as
+well as 4.1.12 if and only if the invoker servlet has been enabled.
+The default Tomcat 4.1.12 installation is not vulnerable.</li>
+</ul>
+</p>
+ <p>
+<b>Fixes and workarounds</b>(doing either of the following can be use as a
+workaround for the security problem)
+<ul>
+<li> Disabling the invoker servlet
+
+In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml),
comment out or remove the following XML fragment:
+<br />
+<code>
+ <servlet-mapping><br />
+ <servlet-name>invoker</servlet-name><br />
+ <url-pattern>/servlet/*</url-pattern><br />
+ </servlet-mapping>
+</code>
+</li>
+
+<li> If running any Tomcat 4.0.x releases, download and install the
+following <a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip";>binary
patch</a>.
+Simply unzip the archive in the $CATALINA_HOME folder (on Windows
+%CATALINA_HOME%). Make sure paths are preserved when unzipping. The
+patch will overwrite the default webapp configuration file
+($CATALINA_HOME/conf/web.xml) to add a workaround to protect
+against the security vulnerability.
+</li>
+
+<li> If running Tomcat 4.1.12 and the invoker servlet was enabled, it must
+be disabled at this time. A new Tomcat 4.1.x release incorporating
+the fix to the invoker servlet will be made available shortly.
+</li>
+
+<li> If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6.
+Binary and source distributions for Apache Tomcat 4.0.5 are available
+<a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/";>here</a>.
+</li>
+</ul>
+</p>
+ <hr size="1" noshade="noshade" />
+ <a name="1004.1">
<h3>4 October 2002 - Commons Lang 1.0 released.</h3>
</a>
<p>
1.145 +2 -2 jakarta-site2/docs/site/sourceindex.html
Index: sourceindex.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/site/sourceindex.html,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -r1.144 -r1.145
--- sourceindex.html 4 Oct 2002 22:29:20 -0000 1.144
+++ sourceindex.html 9 Oct 2002 14:06:56 -0000 1.145
@@ -226,7 +226,8 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.0.2/src/";>Struts
1.0.2</a></li>
<li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.2.4/src/";>Tomcat
3.2.4</a></li>
<li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.3.1/src/";>Tomcat
3.3.1</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.3/src/";>Tomcat
4.0.3</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/src/";>Tomcat
4.0.6</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/src/";>Tomcat
4.1.12</a></li>
</ul>
<h2>
Milestone Builds
@@ -235,7 +236,6 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-avalon/release/phoenix/latest/";>Avalon
Phoenix 4.0 alpha 1</a></li>
<li><a href="http://www.apache.org/dist/jakarta/jakarta-james/latest/";>James Latest
Release Candidate</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-jmeter/unstable/v1.7.2/";>JMeter
1.7.2</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4-b2/src/";>Tomcat
4.0.4 Beta 2</a></li>
<li><a href="http://jakarta.apache.org/builds/jakarta-poi/dev/src/";>POI 1.8-dev
(early development build)</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.1-b2/src/";>Struts
1.1 Beta 2</a></li>
</ul>
1.118 +1 -0 jakarta-site2/xdocs/index.xml
Index: index.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/index.xml,v
retrieving revision 1.117
retrieving revision 1.118
diff -u -r1.117 -r1.118
--- index.xml 8 Oct 2002 15:29:57 -0000 1.117
+++ index.xml 9 Oct 2002 14:06:56 -0000 1.118
@@ -12,6 +12,7 @@
<section name="Product News">
<p>
<ul>
+<li><a href="site/news.html#1009.1">09 October 2002 - <b>Security update: Tomcat
4.0.6 Released</b></a></li>
<li><a href="site/news.html#1004.1">04 October 2002 - <b>Commons Lang 1.0
Released</b></a></li>
<li><a href="site/news.html#1003.1">03 October 2002 - <b>Ant 1.5.1
Released</b></a></li>
<li><a href="site/news.html#0927.1">27 September 2002 - <b>Commons Logging 1.0.2
Released</b></a></li>
1.182 +1 -1 jakarta-site2/xdocs/site/binindex.xml
Index: binindex.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/site/binindex.xml,v
retrieving revision 1.181
retrieving revision 1.182
diff -u -r1.181 -r1.182
--- binindex.xml 4 Oct 2002 22:29:20 -0000 1.181
+++ binindex.xml 9 Oct 2002 14:06:56 -0000 1.182
@@ -95,7 +95,7 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-taglibs/releases/";>Taglibs</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.2.4/bin/";>Tomcat
3.2.4</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat/release/v3.3.1/bin/";>Tomcat
3.3.1</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.5/";>Tomcat
4.0.5</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/";>Tomcat
4.0.6</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/";>Tomcat
4.1.12</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-turbine/release/2.1/";>Turbine
2.1</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-velocity/release/v1.2/";>Velocity
1.2</a></li>
1.202 +61 -0 jakarta-site2/xdocs/site/news.xml
Index: news.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/site/news.xml,v
retrieving revision 1.201
retrieving revision 1.202
diff -u -r1.201 -r1.202
--- news.xml 4 Oct 2002 22:29:20 -0000 1.201
+++ news.xml 9 Oct 2002 14:06:56 -0000 1.202
@@ -11,6 +11,67 @@
<section name="News & Status">
+<a name="1009.1">
+<h3>9 October 2002 - Tomcat 4.0.6 Released.</h3>
+</a>
+<p>
+A security vulnerability has been confirmed to exist in Apache Tomcat
+4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
+crafted URL to return the unprocessed source of a JSP page, or, under
+special circumstances, a static resource which would otherwise have been
+protected by security constraint, without the need for being properly
+authenticated. This is based on a variant of the exploit that was
+disclosed on 09/24/2002.
+</p>
+<p>
+<b>Who is vulnerable</b>
+<ul>
+<li>All Tomcat 4.0.x releases, except those in which the invoker servlet
+is disabled (this is not the default setting).</li>
+<li>All Tomcat 4.1.x releases before 4.1.12, except those in which the
+invoker servlet is disabled (this is not the default setting), as
+well as 4.1.12 if and only if the invoker servlet has been enabled.
+The default Tomcat 4.1.12 installation is not vulnerable.</li>
+</ul>
+</p>
+<p>
+<b>Fixes and workarounds</b>(doing either of the following can be use as a
+workaround for the security problem)
+<ul>
+<li>Disabling the invoker servlet: In the $CATALINA_HOME/conf/web.xml file (on
+ Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following
+XML fragment:
+<br/>
+<code>
+ <servlet-mapping><br/>
+ <servlet-name>invoker</servlet-name><br/>
+ <url-pattern>/servlet/*</url-pattern><br/>
+ </servlet-mapping>
+</code>
+</li>
+
+<li> If running any Tomcat 4.0.x releases, download and install the
+following <a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip";>binary
patch</a>.
+Simply unzip the archive in the $CATALINA_HOME folder (on Windows
+%CATALINA_HOME%). Make sure paths are preserved when unzipping. The
+patch will overwrite the default webapp configuration file
+($CATALINA_HOME/conf/web.xml) to add a workaround to protect
+against the security vulnerability.
+</li>
+
+<li> If running Tomcat 4.1.12 and the invoker servlet was enabled, it must
+be disabled at this time. A new Tomcat 4.1.x release incorporating
+the fix to the invoker servlet will be made available shortly.
+</li>
+
+<li> If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6.
+Binary and source distributions for Apache Tomcat 4.0.5 are available
+<a
href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/";>here</a>.
+</li>
+</ul>
+</p>
+<hr size="1" noshade="noshade" />
+
<a name="1004.1">
<h3>4 October 2002 - Commons Lang 1.0 released.</h3>
</a>
1.106 +2 -2 jakarta-site2/xdocs/site/sourceindex.xml
Index: sourceindex.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/site/sourceindex.xml,v
retrieving revision 1.105
retrieving revision 1.106
diff -u -r1.105 -r1.106
--- sourceindex.xml 4 Oct 2002 22:29:20 -0000 1.105
+++ sourceindex.xml 9 Oct 2002 14:06:56 -0000 1.106
@@ -94,7 +94,8 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.0.2/src/";>Struts
1.0.2</a></li>
<li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.2.4/src/";>Tomcat
3.2.4</a></li>
<li><a href="http://www.apache.org/dist/jakarta/tomcat/release/v3.3.1/src/";>Tomcat
3.3.1</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.3/src/";>Tomcat
4.0.3</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.6/src/";>Tomcat
4.0.6</a></li>
+<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.1.12/src/";>Tomcat
4.1.12</a></li>
</ul>
<h2>
@@ -105,7 +106,6 @@
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-avalon/release/phoenix/latest/";>Avalon
Phoenix 4.0 alpha 1</a></li>
<li><a href="http://www.apache.org/dist/jakarta/jakarta-james/latest/";>James Latest
Release Candidate</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-jmeter/unstable/v1.7.2/";>JMeter
1.7.2</a></li>
-<li><a
href="http://www.apache.org/dist/jakarta/jakarta-tomcat-4.0/release/v4.0.4-b2/src/";>Tomcat
4.0.4 Beta 2</a></li>
<li><a href="http://jakarta.apache.org/builds/jakarta-poi/dev/src/";>POI 1.8-dev
(early development build)</a></li>
<li><a
href="http://www.apache.org/dist/jakarta/jakarta-struts/release/v1.1-b2/src/";>Struts
1.1 Beta 2</a></li>
</ul>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
