Hi Remy,
Are these security bugs existing in all versions of Tomcat 4
prior to 4.1.27 ? Or was there a version of Tomcat where these were introduced ? I couldnt find the reference to these security
issues on the tomcat web site section mentioning the 4.1.27 release. This information will be very much useful since we may need to
redeploy our free HPUX Tomcat distribution to customers.
Ok, cool.
The Tomcat Team announces the immediate availability of Apache Tomcat 4.1.27 Stable. Among other bugfixes and improvements, Tomcat 4.1.27 includes security fixes for:
- Improper recycling of SSL client certificates with Coyote JK 2
That could have been introduced in a previous release. Bill or Costin could probably give a straight answer.
- Improper handling of invalid content lengths in requests, causing HTTP processors to be left in an invalid state in Coyote HTTP/1.1, causing a DoS condition
That always existed in Coyote HTTP/1.1 shipped with Tomcat 4.1.x.
- URI normalization bug in Coyote
Idem.
- Improper handling of certain URLs in Coyote JK 2, causing a DoS condition
I believe this always existed in Coyote JK 2, but Bill or Costin have more knowledge of the issue.
Remy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
