This was the quickest way to deal with a security vulnerability that was discussed on tomcat-committers. At the time Tomcat 3.3.x wasn't building and the last good build doesn't pass one of the internal tests. Also, I haven't had time to clean out the old mod_jk content and to other clean up that is needed to prepare a release. A timely release of Tomcat 3.3.2 wasn't practical given haven't been able to keep up with its current state as well as I would like.
Given that I have some available time now, Tomcat 3.3.2 is next on the agenda. I'll try to put together a release plan this week. The commons-modeler addition was to get the http11 building again. Yes, a version newer than 1.0 is needed, but I just needed some properties I could override for now. I need to review all this and make sure I am building 3.3.2 with the proper sources from J-T-C. The remote connection to my work computer is in pretty bad shape at the moment, so I may not be able to respond further today. I'll try to address and questions or concerns on Monday. Cheers, Larry > -----Original Message----- > From: Bill Barker [mailto:[EMAIL PROTECTED]] > Sent: Sunday, January 26, 2003 5:30 AM > To: Tomcat Developers List > Subject: Re: [ANN] Security update: Apache Tomcat 3.3.1a released > > > I'm assuming that this was actually voted on in some list > (certainly not > this one). I'd just like to add my -0 vote (only because a > -1 is pointless > now :). The 3.3 branch needs to have a 3.3.2 release, and > IMHO, a 3.3.1a > release is just a waste of time. > > ----- Original Message ----- > From: "Larry Isaacs" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Saturday, January 25, 2003 8:30 PM > Subject: [ANN] Security update: Apache Tomcat 3.3.1a released > > > Tomcat 3.3.1a has been released to address the following two > vulnerabilities found in Tomcat 3.3.1 and earlier. This > includes Tomcat 3.2.4 and earlier. > > Tomcat 4.0.4, 4.0.6, 4.1.12, 4.1.18, and 4.1.19 have been > checked and do not have these vulnerabilities. > > Vulnerability where, when used with JDK 1.3.1 or earlier, a > maliciously crafted request could return a directory listing > even when an index.html, index.jsp, or other welcome file is > present. File contents can be returned as well. In the case > of Tomcat 3.2.4 and earlier, contents of files under WEB-INF > could be accessed. If you are using Tomcat 3.3.1 or earlier > with JDK 1.3.1 or earlier, you should either upgrade to JDK 1.4 > or later, or upgrade your Tomcat installation to Tomcat 3.3.1a > or a current release of Tomcat 4. > > Vulnerability where a malicious web application could read the > contents of some files outside the web application via its web.xml > file in spite of the presence of a security manager. The content > of files that can be read as part of an XML document would be > accessible. If you are running Tomcat 3.3.1 or earlier with a > security manager, and are serving web applications whose web.xml > content is not known to be safe, you should upgrade your Tomcat > installation to 3.3.1a or a current release of Tomcat 4. > > You may download Tomcat 3.3.1a binaries and updated jars from: > http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/bin/ > > Other Tomcat downloads may be obtained from: > http://jakarta.apache.org/site/binindex.cgi > > These vulnerabilities have been fixed in the current Tomcat 3.3.2-dev > files found at: > http://jakarta.apache.org/builds/jakarta-tomcat/nightly-3.3.x/ > > Larry > > -- > To unsubscribe, e-mail: > <mailto:tomcat-dev-> [EMAIL PROTECTED]> > For > additional commands, > e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- > To unsubscribe, e-mail: > <mailto:tomcat-dev-> [EMAIL PROTECTED]> > For > additional commands, > e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
