----- Original Message ----- From: "Remy Maucherat" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Thursday, August 07, 2003 11:03 AM Subject: Re: [ANN] Apache Tomcat 4.1.27 Stable released
> NAIK,ROSHAN (HP-Cupertino,ex1) wrote: > > > Hi Remy, > > Are these security bugs existing in all versions of Tomcat 4 > > prior to 4.1.27 ? Or was there a version of Tomcat where these > > were introduced ? I couldnt find the reference to these security > > issues on the tomcat web site section mentioning the 4.1.27 release. > > This information will be very much useful since we may need to > > redeploy our free HPUX Tomcat distribution to customers. > > Ok, cool. > > >>The Tomcat Team announces the immediate availability of Apache Tomcat > >>4.1.27 Stable. Among other bugfixes and improvements, Tomcat 4.1.27 > >>includes security fixes for: > >> > >>- Improper recycling of SSL client certificates with Coyote JK 2 > > That could have been introduced in a previous release. Bill or Costin > could probably give a straight answer. This was introduced in 4.1.18, along with another bug that caused client certificates to not work at all (and which masked this bug). > > >>- Improper handling of invalid content lengths in requests, > >>causing HTTP > >>processors to be left in an invalid state in Coyote HTTP/1.1, > >>causing a > >>DoS condition > > That always existed in Coyote HTTP/1.1 shipped with Tomcat 4.1.x. > > >>- URI normalization bug in Coyote > > Idem. > > >>- Improper handling of certain URLs in Coyote JK 2, causing a > >>DoS condition > > I believe this always existed in Coyote JK 2, but Bill or Costin have > more knowledge of the issue. Without checking the CVS logs, I believe that this has always existed in 4.1. It's certainly been there since the first stable release of 4.1.x. > > Remy > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
