You are viewing a plain text version of this content. The canonical link for it is here.
Posted to site-cvs@jakarta.apache.org by re...@apache.org on 2002/03/07 02:43:07 UTC
cvs commit: jakarta-site2/xdocs/site news.xml
remm 02/03/06 17:43:06
Modified: xdocs/site news.xml
Log:
- Update the information on the security vulnerability fixed in Tomcat 4.0.3.
Revision Changes Path
1.126 +8 -7 jakarta-site2/xdocs/site/news.xml
Index: news.xml
===================================================================
RCS file: /home/cvs/jakarta-site2/xdocs/site/news.xml,v
retrieving revision 1.125
retrieving revision 1.126
diff -u -r1.125 -r1.126
--- news.xml 6 Mar 2002 00:39:33 -0000 1.125
+++ news.xml 7 Mar 2002 01:43:06 -0000 1.126
@@ -58,17 +58,18 @@
<h3>1 March 2002 - Tomcat 4.0.3 Released</h3>
</a>
<p>
- This release fixes a security vulnerability affecting the sandboxing
- provided by the Java Security Manager. It is otherwise identical to 4.0.2,
- with the addition of the fix for this vulnerability. Tomcat installations
- which do not use the Security Manager are not affected by this problem,
- and don't need to be upgraded.
+ This release fixes a security vulnerability affecting the use of the request
+ dispatcher, which could allow in some rare cases a remote attacker to read
+ files anywhere on the server filesystem. It also provides a way
+ for malicious servlets or JSP to bypass the Security Manager sandbox.
+</p>
+<p>
Binary and source distributions are available <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/">here</a>.
</p>
<p>
The fix for this security vulnerability is also available as a hotfix
- which can be applied to an existing Tomcat 4.0.2 installation. Installing
- the hotfix is equivalent to upgrading to Tomcat 4.0.3.
+ which can be applied to an existing Tomcat 4.0.x installation. Installing
+ the hotfix on top of 4.0.2 is equivalent to upgrading to Tomcat 4.0.3.
The hotfix can be found <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfix/">here</a>.
</p>
<hr size="1" noshade="noshade" />
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>