You are viewing a plain text version of this content. The canonical link for it is here.
Posted to site-cvs@jakarta.apache.org by re...@apache.org on 2002/03/07 02:43:07 UTC

cvs commit: jakarta-site2/xdocs/site news.xml

remm        02/03/06 17:43:06

  Modified:    xdocs/site news.xml
  Log:
  - Update the information on the security vulnerability fixed in Tomcat 4.0.3.
  
  Revision  Changes    Path
  1.126     +8 -7      jakarta-site2/xdocs/site/news.xml
  
  Index: news.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/xdocs/site/news.xml,v
  retrieving revision 1.125
  retrieving revision 1.126
  diff -u -r1.125 -r1.126
  --- news.xml	6 Mar 2002 00:39:33 -0000	1.125
  +++ news.xml	7 Mar 2002 01:43:06 -0000	1.126
  @@ -58,17 +58,18 @@
   <h3>1 March 2002 - Tomcat 4.0.3 Released</h3>
   </a>
   <p>
  -  This release fixes a security vulnerability affecting the sandboxing
  -  provided by the Java Security Manager. It is otherwise identical to 4.0.2, 
  -  with the addition of the fix for this vulnerability. Tomcat installations 
  -  which do not use the Security Manager are not affected by this problem, 
  -  and don't need to be upgraded.
  +  This release fixes a security vulnerability affecting the use of the request
  +  dispatcher, which could allow in some rare cases a remote attacker to read 
  +  files anywhere on the server filesystem. It also provides a way
  +  for malicious servlets or JSP to bypass the Security Manager sandbox.
  +</p>
  +<p>
     Binary and source distributions are available <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/">here</a>.
   </p>
   <p>
     The fix for this security vulnerability is also available as a hotfix 
  -  which can be applied to an existing Tomcat 4.0.2 installation. Installing 
  -  the hotfix is equivalent to upgrading to Tomcat 4.0.3.
  +  which can be applied to an existing Tomcat 4.0.x installation. Installing 
  +  the hotfix on top of 4.0.2 is equivalent to upgrading to Tomcat 4.0.3.
     The hotfix can be found <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfix/">here</a>.
   </p>
   <hr size="1" noshade="noshade" />
  
  
  

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>