A security vulnerability affecting the sandboxing provided by the Java Security Manager has been discovered. The request dipatcher functionality of the Servlet API could be used by a malicious servlet or JSP page to get access to any resource located on the server's filesystem, bypassing the Security Manager protection.
Note: People who are not using Tomcat with the Security Manager are not affected by this problem, and do not need to upgrade. Tomcat 4.0.3 has been released, and is identical to Tomcat 4.0.2 with the only change being the fix for the problem described above: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/ The security patch can also be downloaded as a binary patch for Tomcat 4.0.2 and can be applied to an existing Tomcat 4.0.2 installation: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi x/ The source code for the hotfix is included in the archive. The upcoming Tomcat 4.0.4 Beta 1 release will also include this fix. Issue report: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772 Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>