marcsaeg 01/10/26 08:46:58
Modified: . Tag: tomcat_32 RELEASE-NOTES
src/doc Tag: tomcat_32 readme
Log:
Updates for 3.2.4 beta 1
Revision Changes Path
No revision
No revision
1.1.2.10 +43 -32 jakarta-tomcat/Attic/RELEASE-NOTES
Index: RELEASE-NOTES
===================================================================
RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v
retrieving revision 1.1.2.9
retrieving revision 1.1.2.10
diff -u -r1.1.2.9 -r1.1.2.10
--- RELEASE-NOTES 2001/07/17 14:07:00 1.1.2.9
+++ RELEASE-NOTES 2001/10/26 15:46:57 1.1.2.10
@@ -1,8 +1,8 @@
-$Id: RELEASE-NOTES,v 1.1.2.9 2001/07/17 14:07:00 marcsaeg Exp $
+$Id: RELEASE-NOTES,v 1.1.2.10 2001/10/26 15:46:57 marcsaeg Exp $
Release Notes for:
====================
- TOMCAT Version 3.2.3
+ TOMCAT Version 3.2.4
====================
@@ -83,11 +83,12 @@
- Tomcat 3.2.1 was a security update. See section 7.3 for details.
-- Tomcat 3.2.2 was a bug fix release. Section 7.1 describes the issues
-that have been fixed in the version.
+- Tomcat 3.2.2 was a bug fix release.
- Tomcat 3.2.3 is a security release.
+- Tomcat 3.2.4 is a bug fix release. See section 7.1 for details.
+
- Tomcat 4.0 is separate development from Tomcat 3.x. It is based on the
Catalina architecture, which is very different from the architecture of
Tomcat 3.x. In addition, Tomcat 4.0 is to be the reference implementation
@@ -96,16 +97,9 @@
=============================================================================
5. NEW FEATURES IN THIS RELEASE
-
-5.1 Docbase and File Based Localization
-
-Tomcat 3.2.2 now supports a method mapping requests into localized resources
-automatically based on the client's and the server's locale. Localized
-content can be organized using one directory per locale (Docbase) or
-into a single directory the locale specified in the file names (File based).
-A detailed description of this feature can be found in
-doc/tomcat-localization-how.html
+Version 3.2.4 is strictly a bug fix release. No new features have been
+added.
=============================================================================
@@ -310,24 +304,41 @@
7. FIXES AND ENHANCEMENTS IN UPDATES
-7.1 Fixes and Enhancements in Release 3.2.3
+7.1 Fixes and Enhancements in Release 3.2.4
This section highlights the bugs fixed in this release.
+
+ - Cookie name expires is a reserved token (#1114)
+ - Thread initialization problem in thread pool (#1745)
+ - AJP12 returned invalid HTTP headers when redirecting to very
+ long URLS (#2333)
+ - Fixed casting problem in JspFactoryImpl.getPageContext(). (#4260)
+ - Setting sesstion-timeout in web.xml did not prevent sessions from
+ timing out. (#4412)
+ - Fixed race condition in ServerSocketFactory.getDefault(). (#4418)
+ - Removed the restrictions on encoded spcecial characters in URLs
+ that was added as a security precaution in 3.2.3. The encoded
+ special characters are not decoded and remain the URL and
+ path info returned to servlets.
+ - Jk_nt_service now supports the ability to be restarted automatically
+ by the Windows 2000 service control manager if Tomcat terminates
+ abnormally.
+ - Fixed invalid servlet mapping in web.xml generated by JspC (#3474, #3499)
+ - Added findResource() and findResources() to AdaptiveClassLoader12
+ - A Date: HTTP header is now sent in responses when running stand
+ alone. (#345)
+ - Simple held on to a reference to removed objects preventing
+ garbage collection.
+
+
+
+7.2 Security Vulnerabilities fixed in Tomcat 3.2.4
- - The show source links the examples web app didn't work. (#372)
- - Thread synchronization problems with servlet reloading. (#1628)
- - Recycling BufferedServletOutputStream didn't reset usingWriter. (#1802)
- - ZIP files in tomcat/lib were not automatically added to the CLASSPATH
- by tomcat.bat (#1935)
- - A sign extension problem caused ServletInputStream to prematurely return
- EOF. (#1673, #1993)
- - Multistatus codes for RFC 2518 were missing. (#2069)
- - Missing error pages caused Tomcat to enter an infinite loop. (#2327)
- - JDBCRealm SQL statements not being closed. (#2149)
- - Potential for message buffer overflow in AJP13. (#1528)
+The randomness of generated session ids has been enhanced to prevent the
+generation of guessable ids.
-7.2 Security vulnerabilities fixed in Tomcat 3.2.3
+7.3 Security vulnerabilities fixed in Tomcat 3.2.3
Non-normalized URIs, for example /examples/jsp/security//protected/index.jsp or
/examples/jsp/../jsp/security/protected/index.jsp would bypass the security
@@ -341,9 +352,9 @@
If a request URI contains %25, %2E, %2F or %5c a 404 error will be returned.
This prevents the use of URL encodings to bypass the URI normalization process.
-7.3 Security vulnerabilities fixed in Tomcat 3.2.2
+7.4 Security vulnerabilities fixed in Tomcat 3.2.2
-7.3.1 HTTP Requests With no Protocol
+7.4.1 HTTP Requests With no Protocol
An HTTP request with no protocol specified would return an unprocessed
source for a JSP file. For example
@@ -352,7 +363,7 @@
would return the source for the numguess.jsp file.
-7.3.2
+7.4.2
Tomcat 3.2.2 beta releases prior to beta 3 had allowed URI components
to be decoded twice. This problem only appears when using JDK 1.3.0
@@ -365,9 +376,9 @@
of files outside the web application.
-7.4 Security vulnerabilities fixed in Tomcat 3.2.1
+7.5 Security vulnerabilities fixed in Tomcat 3.2.1
-7.4.1 Protection of Resources in /WEB-INF and /META-INF Directories
+7.5.1 Protection of Resources in /WEB-INF and /META-INF Directories
The servlet specification prohibits servlet containers from serving resources
in the /WEB-INF and /META-INF directories of a web application archive directly
@@ -385,7 +396,7 @@
corrected in Tomcat 3.2.1.
-7.4.2 Show Source Vulnerability
+7.5.2 Show Source Vulnerability
The example application delivered with Tomcat 3.2 included a mechanism to
display the source code for the JSP page examples. This mechanism could
No revision
No revision
1.8.2.22 +43 -32 jakarta-tomcat/src/doc/readme
Index: readme
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
retrieving revision 1.8.2.21
retrieving revision 1.8.2.22
diff -u -r1.8.2.21 -r1.8.2.22
--- readme 2001/07/17 14:07:01 1.8.2.21
+++ readme 2001/10/26 15:46:57 1.8.2.22
@@ -1,8 +1,8 @@
-$Id: readme,v 1.8.2.21 2001/07/17 14:07:01 marcsaeg Exp $
+$Id: readme,v 1.8.2.22 2001/10/26 15:46:57 marcsaeg Exp $
Release Notes for:
====================
- TOMCAT Version 3.2.3
+ TOMCAT Version 3.2.4
====================
@@ -83,11 +83,12 @@
- Tomcat 3.2.1 was a security update. See section 7.3 for details.
-- Tomcat 3.2.2 was a bug fix release. Section 7.1 describes the issues
-that have been fixed in the version.
+- Tomcat 3.2.2 was a bug fix release.
- Tomcat 3.2.3 is a security release.
+- Tomcat 3.2.4 is a bug fix release. See section 7.1 for details.
+
- Tomcat 4.0 is separate development from Tomcat 3.x. It is based on the
Catalina architecture, which is very different from the architecture of
Tomcat 3.x. In addition, Tomcat 4.0 is to be the reference implementation
@@ -96,16 +97,9 @@
=============================================================================
5. NEW FEATURES IN THIS RELEASE
-
-5.1 Docbase and File Based Localization
-
-Tomcat 3.2.2 now supports a method mapping requests into localized resources
-automatically based on the client's and the server's locale. Localized
-content can be organized using one directory per locale (Docbase) or
-into a single directory the locale specified in the file names (File based).
-A detailed description of this feature can be found in
-doc/tomcat-localization-how.html
+Version 3.2.4 is strictly a bug fix release. No new features have been
+added.
=============================================================================
@@ -310,24 +304,41 @@
7. FIXES AND ENHANCEMENTS IN UPDATES
-7.1 Fixes and Enhancements in Release 3.2.3
+7.1 Fixes and Enhancements in Release 3.2.4
This section highlights the bugs fixed in this release.
+
+ - Cookie name expires is a reserved token (#1114)
+ - Thread initialization problem in thread pool (#1745)
+ - AJP12 returned invalid HTTP headers when redirecting to very
+ long URLS (#2333)
+ - Fixed casting problem in JspFactoryImpl.getPageContext(). (#4260)
+ - Setting sesstion-timeout in web.xml did not prevent sessions from
+ timing out. (#4412)
+ - Fixed race condition in ServerSocketFactory.getDefault(). (#4418)
+ - Removed the restrictions on encoded spcecial characters in URLs
+ that was added as a security precaution in 3.2.3. The encoded
+ special characters are not decoded and remain the URL and
+ path info returned to servlets.
+ - Jk_nt_service now supports the ability to be restarted automatically
+ by the Windows 2000 service control manager if Tomcat terminates
+ abnormally.
+ - Fixed invalid servlet mapping in web.xml generated by JspC (#3474, #3499)
+ - Added findResource() and findResources() to AdaptiveClassLoader12
+ - A Date: HTTP header is now sent in responses when running stand
+ alone. (#345)
+ - Simple held on to a reference to removed objects preventing
+ garbage collection.
+
+
+
+7.2 Security Vulnerabilities fixed in Tomcat 3.2.4
- - The show source links the examples web app didn't work. (#372)
- - Thread synchronization problems with servlet reloading. (#1628)
- - Recycling BufferedServletOutputStream didn't reset usingWriter. (#1802)
- - ZIP files in tomcat/lib were not automatically added to the CLASSPATH
- by tomcat.bat (#1935)
- - A sign extension problem caused ServletInputStream to prematurely return
- EOF. (#1673, #1993)
- - Multistatus codes for RFC 2518 were missing. (#2069)
- - Missing error pages caused Tomcat to enter an infinite loop. (#2327)
- - JDBCRealm SQL statements not being closed. (#2149)
- - Potential for message buffer overflow in AJP13. (#1528)
+The randomness of generated session ids has been enhanced to prevent the
+generation of guessable ids.
-7.2 Security vulnerabilities fixed in Tomcat 3.2.3
+7.3 Security vulnerabilities fixed in Tomcat 3.2.3
Non-normalized URIs, for example /examples/jsp/security//protected/index.jsp or
/examples/jsp/../jsp/security/protected/index.jsp would bypass the security
@@ -341,9 +352,9 @@
If a request URI contains %25, %2E, %2F or %5c a 404 error will be returned.
This prevents the use of URL encodings to bypass the URI normalization process.
-7.3 Security vulnerabilities fixed in Tomcat 3.2.2
+7.4 Security vulnerabilities fixed in Tomcat 3.2.2
-7.3.1 HTTP Requests With no Protocol
+7.4.1 HTTP Requests With no Protocol
An HTTP request with no protocol specified would return an unprocessed
source for a JSP file. For example
@@ -352,7 +363,7 @@
would return the source for the numguess.jsp file.
-7.3.2
+7.4.2
Tomcat 3.2.2 beta releases prior to beta 3 had allowed URI components
to be decoded twice. This problem only appears when using JDK 1.3.0
@@ -365,9 +376,9 @@
of files outside the web application.
-7.4 Security vulnerabilities fixed in Tomcat 3.2.1
+7.5 Security vulnerabilities fixed in Tomcat 3.2.1
-7.4.1 Protection of Resources in /WEB-INF and /META-INF Directories
+7.5.1 Protection of Resources in /WEB-INF and /META-INF Directories
The servlet specification prohibits servlet containers from serving resources
in the /WEB-INF and /META-INF directories of a web application archive directly
@@ -385,7 +396,7 @@
corrected in Tomcat 3.2.1.
-7.4.2 Show Source Vulnerability
+7.5.2 Show Source Vulnerability
The example application delivered with Tomcat 3.2 included a mechanism to
display the source code for the JSP page examples. This mechanism could
