Johan,

I'm using Tomcat Version 3.2.1 and the readme document had the following
information
on Tomcat versions. There isn't info about 3.2.2 & 3.3 there but probably if
you
download those versions there will be a readme explaining the changes.

Besides the differences in functionality the other difference is the
quality/stability
of the versions - whether they are milestone, beta or release quality.

Tomcat Versions 3.1.1 and 3.2.1 are the only "release" builds.
Tomcat Versions 3.2.2 and 4.0 are beta versions.
Tomcat Version 3.3 is a milestone build.

>From a Struts point of view the minimum requirement is Tomcat 3.1 but there
are lots of
messages from those in the know that version 3.1 is not recommended, you
need 3.2 at least.

        e.g.
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg04662.html

Hope this helps.

Niall

README> 1.  INTRODUCTION
README> Tomcat Version 3.2.1 is a security related update!  See Section 7,
below,
README> for details on the changes that have been made.  All other existing
issues with
README> Tomcat 3.2 will remain in 3.2.1 -- they will be addressed in
subsequent
README> maintenance updates (3.2.2, and so on).

README> 4.  TOMCAT: PAST, PRESENT, AND FUTURE
README> - Version 3.0 (released 12/1999) was the initial release of Tomcat.
In
README> addition to implementing the Java Servlet and Server Pages
specification,
README> this release featured a minimal Apache connector.

README> - Tomcat 3.1 (released 4/2000) improved the Apache connection and
added
README> connector support for Netscape and IIS web servers. It also added
WAR file
README> support, automatic servlet reloading, and a command line tool (jspc)
to
README> compile ahead of time the JSP pages that comprise your application.
Finally,
README> version 3.1 also focused on reorganizing the code (modularization,
cleanup,
README> refactoring, removal of dead code, and separation of J2EE-specific
code).

README> - Tomcat 3.2 is the first performance tune-up, and also adds a few
new
README> features (see next section).

README> - Tomcat 4.0 is separate development from Tomcat 3.x.  It is based
on the
README> Catalina architecture, which is very different from the architecture
of
README> Tomcat 3.x.  In addition, Tomcat 4.0 is to be the reference
implementation
README> for the Servlet 2.3 and JSP 1.2 specifications.

README> 7.  SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1


README> 7.1 Protection of Resources in /WEB-INF and /META-INF Directories

README> The servlet specification prohibits servlet containers from serving
resources
README> in the /WEB-INF and /META-INF directories of a web application
archive directly
README> to clients.  In Tomcat 3.2, this means that URLs like:

README>    http://localhost:8080/examples/WEB-INF/web.xml

README> will return an error message, rather than the contents of your
deployment
README> descriptor.  However, there is a vulnerability in Tomcat 3.2 that
exposes
README> this information if the client requests a URL like this instead:

README>     http://localhost:8080/examples//WEB-INF/web.xml

README> (note the double slash before "WEB-INF").  This vulnerability has
been
README> corrected in Tomcat 3.2.1.


README> 7.2 Show Source Vulnerability

README> The example application delivered with Tomcat 3.2 included a
mechanism to
README> display the source code for the JSP page examples.  This mechanism
could
README> be used to bypass the restrictions on displaying sensitive
information in
README> the WEB-INF and META-INF directories.  This vulnerability has been
removed.


> -----Original Message-----
> From: Johan Compagner [mailto:[EMAIL PROTECTED]]
> Sent: 22 March 2001 00:00
> To: Struts
> Subject: Tomcat question
>
>
> Hi,
>
> One tomcat question for this list (i know there are some tomcat
> developers here)
> Why can't i find changes.html or something like that for the
> tomcat versions?
>
> You got now a
> 3.1.x branch (doesn't seem to be in development anymore)
> 3.2.x branch (still development 3.2.2 beta 1 as latest mile stonde)
> 3.3.x branch (the latest in 3.x)
>
> And you got 4.0
>
> I know the differences between 3.x (servlet 2.2 / jsp 1.1) and
> 4.x (servlet 2.3 / jsp 1.2)
>
> But why all those 3.x branches and why are there even 2 in development?
>
> Johan
>
>
>
>

Reply via email to