Over the last three days, a review of published and soon-to-be-published reports
of security vulnerabilities in Tomcat has uncovered a series of problems in the
3.1 final release, and a couple of less serious (but still significant) problems
in 3.2. Please vote (quickly) on the following two issues:
Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems
I have just posted a CVS commit that fixes the security vulnerabilities that I
know about, plus a release notes document (src/doc/readme) that describes what
was changed. I propose to create and announce an official release that reflects
these changes.
Note that there are no other functionality or bug fixes changes to 3.1 being
proposed, nor (IMHO) are any non-security-related fixes likely to be forthcoming
in the future. Therefore, I would propose to include a "strong encouragement"
for existing 3.1 users to update to 3.2 in order to benefit from the bug fixes
and security enhancements that it includes.
Proposal #2: Release a Tomcat 3.2.1 that fixes the following security problems
plus the patches committed to date.
Tomcat 3.2 final has the following security vulnerabilities that have
subsequently been fixed in the CVS repository:
* A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
expose sensitive information (note the double slash after "examples").
* The "Show Source" custom tag used to display JSP source code can
be used to expose sensitive information in WEB-INF.
I propose that we cut a Tomcat 3.2.1 release that includes these two fixes, plus
other bug fixes that have been committed to date. Additional bug fixes that
have been proposed but not yet committed can be included in a subsequent 3.2.2
release.
Craig
PS: Tomcat 4.0-m4 is vulnerable to the first of the two problems listed above
for 3.2 -- a fix has been posted, and will be included in the previously
announced milestone 5 release that is imminenet.
