You are viewing a plain text version of this content. The canonical link for it is here.
Posted to site-cvs@jakarta.apache.org by re...@apache.org on 2002/03/07 02:43:20 UTC
cvs commit: jakarta-site2/docs/site news.html
remm 02/03/06 17:43:20
Modified: docs/site news.html
Log:
- Update the information on the security vulnerability fixed in Tomcat 4.0.3.
Revision Changes Path
1.153 +8 -7 jakarta-site2/docs/site/news.html
Index: news.html
===================================================================
RCS file: /home/cvs/jakarta-site2/docs/site/news.html,v
retrieving revision 1.152
retrieving revision 1.153
diff -u -r1.152 -r1.153
--- news.html 6 Mar 2002 21:47:51 -0000 1.152
+++ news.html 7 Mar 2002 01:43:20 -0000 1.153
@@ -186,17 +186,18 @@
<h3>1 March 2002 - Tomcat 4.0.3 Released</h3>
</a>
<p>
- This release fixes a security vulnerability affecting the sandboxing
- provided by the Java Security Manager. It is otherwise identical to 4.0.2,
- with the addition of the fix for this vulnerability. Tomcat installations
- which do not use the Security Manager are not affected by this problem,
- and don't need to be upgraded.
+ This release fixes a security vulnerability affecting the use of the request
+ dispatcher, which could allow in some rare cases a remote attacker to read
+ files anywhere on the server filesystem. It also provides a way
+ for malicious servlets or JSP to bypass the Security Manager sandbox.
+</p>
+ <p>
Binary and source distributions are available <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/">here</a>.
</p>
<p>
The fix for this security vulnerability is also available as a hotfix
- which can be applied to an existing Tomcat 4.0.2 installation. Installing
- the hotfix is equivalent to upgrading to Tomcat 4.0.3.
+ which can be applied to an existing Tomcat 4.0.x installation. Installing
+ the hotfix on top of 4.0.2 is equivalent to upgrading to Tomcat 4.0.3.
The hotfix can be found <a href="http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfix/">here</a>.
</p>
<hr size="1" noshade="noshade" />
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>