I have two questions regarding security fixes included in 5.5.25 On changelog page (http://tomcat.apache.org/tomcat-5.5-doc/changelog.html), two security fixes are included: Fix XSS security vulnerability (CVE-2007-2450) and Fix XSS security vulnerabilities (CVE-2007-2449) But on Security Reports page(http://tomcat.apache.org/security-5.html), three more vulnerabilities are reported as fixed (in 5.5 HEAD): Session hi-jacking CVE-2007-3382, Session hi-jacking CVE-2007-3385, and Cross-site scripting CVE-2007-3386.
I am especially interested in those two session hijacking vulnerability fixes. Are they included in 5.5.25? Second question is: if they are fixed in 5.5.25, is it possible to just drop in the Jar files (catalina.jar?) to the current production Tomcat server/lib (it's 5.5.23) to apply the security fixes? (I guess i'd have to restart Tomcat still) Or must I re-install the whole package? Thanks for help in advance. Timothy Wonil Lee Java Developer Koorong Books email: [EMAIL PROTECTED] direct ph: (+612) 9857 4448 direct fax: (+612) 9857 6648 http://www.google.com/reader/shared/16849249410805339619 http://timundergod.blogspot.com/ -----Original Message----- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Sunday, 9 September 2007 4:08 AM To: Tomcat Users List Cc: Tomcat Developers List Subject: Re: [ANN] Apache Tomcat 5.5.25 released Thanks, it's underway, syncing to mirrors as we speak Filip RuiXian BAO wrote: > On 9/8/07, Filip Hanik - Dev Lists <[EMAIL PROTECTED]> wrote: > >> The Apache Tomcat team announces the immediate availability of Apache >> Tomcat 5.5.25 stable. >> >> Apache Tomcat 5.5.25 incorporates numerous security updates and bug fixes. >> Please refer to the change log for the list of changes: >> http://tomcat.apache.org/tomcat-5.5-doc/changelog.html >> > > > Thanks, but the above page does not contain the 5.5.25 release change yet:) > > Best > > - RuiXian > > Downloads: > >> http://tomcat.apache.org/download-55.cgi >> >> Thank you, >> >> -- The Apache Tomcat Team >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> -- >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.446 / Virus Database: 268.18.4/705 - Release Date: >> 2/27/2007 3:24 PM >> >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.485 / Virus Database: 269.13.9/994 - Release Date: 9/7/2007 4:40 PM > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:46e2e52b43091562027968! --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
