craigmcc 01/03/30 13:42:52
Modified: . RELEASE-NOTES-4.0-B2.txt
Log:
Increase the visibility of the security vulnerabilities that were fixed, and
add information about the increased scope of the second vulnerability, beyond
what was originally reported.
Revision Changes Path
1.4 +18 -5 jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B2.txt
Index: RELEASE-NOTES-4.0-B2.txt
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B2.txt,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- RELEASE-NOTES-4.0-B2.txt 2001/03/30 20:31:52 1.3
+++ RELEASE-NOTES-4.0-B2.txt 2001/03/30 21:42:52 1.4
@@ -3,13 +3,14 @@
Release Notes
=============
-$Id: RELEASE-NOTES-4.0-B2.txt,v 1.3 2001/03/30 20:31:52 craigmcc Exp $
+$Id: RELEASE-NOTES-4.0-B2.txt,v 1.4 2001/03/30 21:42:52 craigmcc Exp $
============
INTRODUCTION:
============
+
This document describes the changes that have been made in the current
beta release of Apache Tomcat, relative to the previous release.
@@ -20,11 +21,23 @@
Please use project codes "Catalina" and "Jasper" for servlet-related and
JSP-related bug reports, respectively.
+
+
+------------------------
+Important Security Notes:
+------------------------
+
+This release includes fixes for two security vulnerabilities that have been
+reported against Tomcat 4.0 beta 1:
+
+* A "cross site scripting" vulnerability would cause the enclosed JavaScript
+ code to be executed (on the client) with a URL like:
+
+ http://localhost:8080/<SCRIPT>alert(document.cookie)</SCRIPT).xyz
+
+* Incorrect URL decoding of the request URI would cause JSP page source code
+ to be displayed, and/or security constraints to be bypassed, for URLs like:
-IMPORTANT SECURITY NOTE: This release includes a fix to a "cross site
-scripting vulnerability" caused by a request URI such as:
- http://localhost:8080/<SCRIPT>alert(document.cookie)</SCRIPT>.xyz
-and the "may expose JSP source code" vulnerability caused by:
http://localhost:8080/examples/jsp/snp/snoop.js%70
