You are viewing a plain text version of this content. The canonical link for it is here.
Posted to site-cvs@jakarta.apache.org by re...@apache.org on 2002/03/07 02:43:20 UTC

cvs commit: jakarta-site2/docs/site news.html

remm        02/03/06 17:43:20

  Modified:    docs/site news.html
  Log:
  - Update the information on the security vulnerability fixed in Tomcat 4.0.3.
  
  Revision  Changes    Path
  1.153     +8 -7      jakarta-site2/docs/site/news.html
  
  Index: news.html
  ===================================================================
  RCS file: /home/cvs/jakarta-site2/docs/site/news.html,v
  retrieving revision 1.152
  retrieving revision 1.153
  diff -u -r1.152 -r1.153
  --- news.html	6 Mar 2002 21:47:51 -0000	1.152
  +++ news.html	7 Mar 2002 01:43:20 -0000	1.153
  @@ -186,17 +186,18 @@
   <h3>1 March 2002 - Tomcat 4.0.3 Released</h3>
   </a>
                                                   <p>
  -  This release fixes a security vulnerability affecting the sandboxing
  -  provided by the Java Security Manager. It is otherwise identical to 4.0.2, 
  -  with the addition of the fix for this vulnerability. Tomcat installations 
  -  which do not use the Security Manager are not affected by this problem, 
  -  and don't need to be upgraded.
  +  This release fixes a security vulnerability affecting the use of the request
  +  dispatcher, which could allow in some rare cases a remote attacker to read 
  +  files anywhere on the server filesystem. It also provides a way
  +  for malicious servlets or JSP to bypass the Security Manager sandbox.
  +</p>
  +                                                <p>
     Binary and source distributions are available <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/">here</a>.
   </p>
                                                   <p>
     The fix for this security vulnerability is also available as a hotfix 
  -  which can be applied to an existing Tomcat 4.0.2 installation. Installing 
  -  the hotfix is equivalent to upgrading to Tomcat 4.0.3.
  +  which can be applied to an existing Tomcat 4.0.x installation. Installing 
  +  the hotfix on top of 4.0.2 is equivalent to upgrading to Tomcat 4.0.3.
     The hotfix can be found <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfix/">here</a>.
   </p>
                                                   <hr size="1" noshade="noshade" />
  
  
  

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>