Hi fellow turbine users,
Just to inform all those who use Jakarta Turbine (we use v2.1), the recent vulnerability advisory for "Tomcat 4.x JSP source exposure security advisory" applies because it also reveals template source (which isn't too big a deal as long as no sensitive info is stored in there, but still), which means it also reveals any file in *ANY* directory under your webapp directory (/WEB-INF/ seems to be protected fine though). I was able to test and confirm this on Tomcat 4.0.4. Please consult the advisory for fixes and work-arounds. Here's the link to the announcement on the tomcat-user mailing list. http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg67053.html Regards, Dan -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
