Author: jfclere Date: Fri Mar 2 17:20:48 2007 New Revision: 514042 URL: http://svn.apache.org/viewvc?view=rev&rev=514042 Log: Add a long note about the vulnerability.
Modified: tomcat/connectors/trunk/jk/xdocs/index.xml Modified: tomcat/connectors/trunk/jk/xdocs/index.xml URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/index.xml?view=diff&rev=514042&r1=514041&r2=514042 ============================================================================== --- tomcat/connectors/trunk/jk/xdocs/index.xml (original) +++ tomcat/connectors/trunk/jk/xdocs/index.xml Fri Mar 2 17:20:48 2007 @@ -33,6 +33,28 @@ <p>The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.21 Stable. </p> +<p>This version addresses the security flaw: +<br /> +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774"><b>CVE-2007-0774</b></a> +A Long URL Stack Overflow Vulnerability exists in the URI handler for the mod_jk library. +When parsing a long URL request, the URI worker map routine performs an +unsafe memory copy. This results in a stack overflow condition which can +be leveraged execute arbitrary code. +</p><p> +Please note this issue only affected versions 1.2.19 and 1.2.20 of the +JK Apache Tomcat Connector and not previous versions. +Tomcat 5.5.20 and Tomcat 4.1.34 +included a vulnerable version in their source packages. +<strong>No </strong>other source code releases <strong> and no binary packages</strong> +of Tomcat were affected. +</p><p> +The Apache Tomcat project recommends that all users who have built mod_jk from source apply the patch or upgrade to the latest level and rebuild. Providers of mod_jk-based modules in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of mod_jk, and mod_jk users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their module. +</p><p> +The Tomcat Project thanks an anonymous researcher working with +TippingPoint (www.tippingpoint.com) and the Zero Day Initiative +(www.zerodayintiative.com) for their responsible reporting of this +vulnerability. +</p> <p>Download the <a href="http://www.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.21/tomcat-connectors-1.2.21-src.tar.gz">JK 1.2.21 release sources</a> | <a href="http://www.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.21/tomcat-connectors-1.2.21-src.tar.gz.asc">PGP signature</a> </p> @@ -193,11 +215,11 @@ </p> <ul> -<li><a href="news/2006"><b>2006</b></a> +<li><a href="news/20060101.html"><b>2006</b></a> </li> -<li><a href="news/2006"><b>2005</b></a> +<li><a href="news/20050101.html"><b>2005</b></a> </li> -<li><a href="news/2006"><b>2004</b></a> +<li><a href="news/20041100.html"><b>2004</b></a> </li> </ul> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]