Recent investigations and reports have revealed security vulnerabilities in both
Tomcat 3.1 and Tomcat 3.2 final releases. To deal with these problems, the
Tomcat team has developed maintenance releases, and recommended actions, for
each major version. (Tomcat 4.0 milestone 4 shares one of these vulnerabilities
that will be fixed in the upcoming milestone 5 release, which is imminent.)
TOMCAT 3.1 USERS
* There are seven identified vulnerabilities that are documented in the
Release Notes for Tomcat 3.1.1 (file "doc/readme" in the distribution).
* To deal with these problems for users who are unable to upgrade,
a maintenance release, Tomcat 3.1.1, has been prepared. You can
download it at:
http://jakarta.apache.org/builds/tomcat/release/v3.1.1/bin/
* This release fixes ***only*** the identified security vulnerabilities. It
does
not address any of the other bugs that exist in Tomcat 3.1. No future
maintenance release of Tomcat 3.1 is planned to deal with these issues.
* You are ***strongly*** encouraged to upgrade to Tomcat 3.2.1 as quickly
as possible. In doing so, you will benefit from these security
vulnerabilities
being fixed, performance improvements, new features, and a large number
of non-security related bug fixes. See below for the download URL.
* In the event that you are not able to upgrade immediately, the corrective
action is to download the binary distribution, and replace the appropriate
contents in the $TOMCAT_HOME directory. There is no need to modify
any of the binary components (such as the mod_jserv component used to
connect Tomcat to Apache).
* In addition, if you have not removed it already (or built your own security
mechanisms to protect it), you should remove the Tomcat 3.1
administrative application by deleting the $TOMCAT_HOME/webapps/admin
directory.
TOMCAT 3.2 USERS
* There are two identified vulnerabilities that are documented in the
Release Notes for Tomcat 3.2.1 (file "doc/readme" in the distribution).
These vulnerabilities have been fixed in Tomcat 3.2.1.
* You can download this security maintenance release at:
http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/
* You are ***strongly*** encouraged to download and install this
update as quickly as possible.
* This release fixes ***only*** the identified security vulnerabilities.
It does not address any of the other bugs, or feature requests, related
to Tomcat 3.2 final. These issues will be dealt with in future
maintenance releases of Tomcat 3.2 as appropriate.
* The corrective action is to download the binary distribution, and
replace the appropriate contents in the $TOMCAT_HOME directory.
There is no need to modify any of the binary components (such as the
mod_jserv component used to connect Tomcat to Apache).
Craig McClanahan
