on 12/11/2000 5:19 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]>
wrote:
> Over the last three days, a review of published and soon-to-be-published
> reports
> of security vulnerabilities in Tomcat has uncovered a series of problems in
> the
> 3.1 final release, and a couple of less serious (but still significant)
> problems
> in 3.2. Please vote (quickly) on the following two issues:
>
>
> Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems
>
> I have just posted a CVS commit that fixes the security vulnerabilities that I
> know about, plus a release notes document (src/doc/readme) that describes what
> was changed. I propose to create and announce an official release that
> reflects
> these changes.
>
> Note that there are no other functionality or bug fixes changes to 3.1 being
> proposed, nor (IMHO) are any non-security-related fixes likely to be
> forthcoming
> in the future. Therefore, I would propose to include a "strong encouragement"
> for existing 3.1 users to update to 3.2 in order to benefit from the bug fixes
> and security enhancements that it includes.
I think that we should just ask people to upgrade to 3.2.x
> Proposal #2: Release a Tomcat 3.2.1 that fixes the following security
> problems
> plus the patches committed to date.
>
> Tomcat 3.2 final has the following security vulnerabilities that have
> subsequently been fixed in the CVS repository:
> * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can
> expose sensitive information (note the double slash after "examples").
> * The "Show Source" custom tag used to display JSP source code can
> be used to expose sensitive information in WEB-INF.
+1
> I propose that we cut a Tomcat 3.2.1 release that includes these two fixes,
> plus
> other bug fixes that have been committed to date. Additional bug fixes that
> have been proposed but not yet committed can be included in a subsequent 3.2.2
> release.
+1
> PS: Tomcat 4.0-m4 is vulnerable to the first of the two problems listed above
> for 3.2 -- a fix has been posted, and will be included in the previously
> announced milestone 5 release that is imminenet.
+1
-jon
--
Honk if you love peace and quiet.
