Re: performing a security analsysis on the Tomcat software

[Bill Barker]

"Nick Kew" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> On Thursday 24 November 2005 09:25, Hoehle, Joerg-Cyril wrote:
>> Dear tomcat developers,
>
> This is the httpd development list.  You won't find tomcat developers
> here, except by coincidence (those who are interested in both projects).
>

Actually, most of the Tomcat developers who are interested in mod_jk do 
happen to hang out here (since they usually are interested in mod_proxy_ajp 
as well :).

However Nick is right, and the correct list is [EMAIL PROTECTED]

> -- 
> Nick Kew
> 

Re: performing a security analsysis on the Tomcat software

[Nick Kew]

On Thursday 24 November 2005 09:25, Hoehle, Joerg-Cyril wrote:
> Dear tomcat developers,

This is the httpd development list.  You won't find tomcat developers
here, except by coincidence (those who are interested in both projects).

-- 
Nick Kew

performing a security analsysis on the Tomcat software

[Hoehle, Joerg-Cyril]

Dear tomcat developers,

BSI, the german Federal Office for Information Security
 -- Bundesamt fur Sicherheit in der Informationstechnik
http://www.bsi.de, e-mail: [EMAIL PROTECTED]
endorses the use of Open Source software and has
contracted T-Systems to perform a security check on Tomcat.

The Federal Office for Information Security (BSI) is the central IT
security service provider for the German government.  By our basic
research within the area of IT security we take responsibility for the
security of our society, and are thus indispensable to the internal
security of Germany.  Our services and products are aimed at the users
and manufacturers of information technology products. Those are
primarily the public administration at federal, state and municipal
level, in addition companies and private users. As Germanys National
Security Agency, it is our goal to promote IT security in Germany so
that everyone can make the most of the opportunities opened up by the
information society.

As part of its activities, BSI has contracted the security engineering
group at T-Systems International to perform security-related testing of
the open source Tomcat software.

These activities comprise the following:
+ installation & documentation checks,
+ a source code review of mod_jk and selected parts of Tomcat,
+ penetration testing.

BSI is going to make the results of the analysis publicly available on
internet, so people will be able to download the study from their site.

Please contact [EMAIL PROTECTED] for any questions related to the
analysis, or feel free to mail me at [EMAIL PROTECTED]

The analysis has already started. I think I owe you people an apology
for already having posted two bugreports (#37322 and #37332) prior to
this announcement of our activity to the mailing list.

We sincerely hope that our analysis will contribute to make Tomcat
even more robust and easy to deploy.  So far, we are very pleased
with what we see, which gives us a good impression of the software.

Our  goal is  to publish  to the  bugtracker individual  and separable
items which can be classified as bugs. We'll alert [EMAIL PROTECTED]
for  any  serious security  vulnerabilities  we  find  (which is  what
Bugzilla recommends).  And  finally, I plan to send  a general summary
of findings to this mailing  list when we'll have finished. These will
be the  kind of findings and  remarks that do not  fit into individual
methods and modules but rather concern the software as a whole.

Regards,
Jorg Hohle.
Solution & Service Center Testfactory & Security
T-Systems International GmbH
Postal address: Deutsche-Telekom-Allee 7, 64295 Darmstadt
Tel. ++49 6151 937-6913