You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by "Craig R. McClanahan" <cr...@apache.org> on 2001/04/02 23:20:56 UTC

Tomcat 4.0-beta-2 Security Vulnerability

As you've seen from bug reports to BugTraq@securityfocus.com, the Beta 2
release of Tomcat 4.0 has a security vulnerability that can expose JSP
file source code.  A partial fix to this problem was implemented prior to
shipping beta 2, but it did not deal with all possible causes.

The actual bug (URL decoding the static file path in DefaultServlet even
though the container now does this) was fixed by Remy this morning, and I
just fixed the same vulnerability in the SSI servlet.  The question is,
what do we do about beta 2?

I suggest that we create a revised version of beta 2, clearly labelled so
that people will know whether they have the corrected version or not --
and we should do this immediately (like today) to minimize the number of
people who end up downloading twice.

I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or
something like that.

Comments?  Votes?

Craig

Re: Tomcat 4.0-beta-2 Security Vulnerability

Posted by Meir Faraj <fa...@netvision.net.il>.

----- Original Message -----
From: "Glenn Nielsen" <gl...@voyager.apg.more.net>
To: <to...@jakarta.apache.org>
Sent: Tuesday, April 03, 2001 12:39 AM
Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability


> Jon Stevens wrote:
> >
> > on 4/2/01 2:20 PM, "Craig R. McClanahan" <cr...@apache.org> wrote:
> >
> > > I suggest that we create a revised version of beta 2, clearly labelled
so
> > > that people will know whether they have the corrected version or
not --
> > > and we should do this immediately (like today) to minimize the number
of
> > > people who end up downloading twice.
> > >
> > > I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or
> > > something like that.
> > >
> > > Comments?  Votes?
> > >
> > > Craig
> >
> > -1 on an update. it just adds confusion imho and i don't see a reason to
> > resist having many beta releases.
> >
> > Just make a beta 3.
> >
> > -jon
>
> I agree, beta 3 avoids confusion.
>
> +1 for a beta 3 release.
>
> Glenn
+1 for beta 3 ;-) is too confusing to create update version

Re: Tomcat 4.0-beta-2 Security Vulnerability

Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.

Jon Stevens wrote:
> 
> on 4/2/01 2:20 PM, "Craig R. McClanahan" <cr...@apache.org> wrote:
> 
> > I suggest that we create a revised version of beta 2, clearly labelled so
> > that people will know whether they have the corrected version or not --
> > and we should do this immediately (like today) to minimize the number of
> > people who end up downloading twice.
> >
> > I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or
> > something like that.
> >
> > Comments?  Votes?
> >
> > Craig
> 
> -1 on an update. it just adds confusion imho and i don't see a reason to
> resist having many beta releases.
> 
> Just make a beta 3.
> 
> -jon

I agree, beta 3 avoids confusion.

+1 for a beta 3 release.

Glenn

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Re: Tomcat 4.0-beta-2 Security Vulnerability

Posted by Jon Stevens <jo...@latchkey.com>.

on 4/2/01 2:20 PM, "Craig R. McClanahan" <cr...@apache.org> wrote:

> I suggest that we create a revised version of beta 2, clearly labelled so
> that people will know whether they have the corrected version or not --
> and we should do this immediately (like today) to minimize the number of
> people who end up downloading twice.
> 
> I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or
> something like that.
> 
> Comments?  Votes?
> 
> Craig

-1 on an update. it just adds confusion imho and i don't see a reason to
resist having many beta releases.

Just make a beta 3.

-jon

Re: Tomcat 4.0-beta-2 Security Vulnerability

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Tue, 3 Apr 2001, Punky Tse wrote:

> 
> And I think it is also good to state in the mail-announcement and in the
> jakarta website that the b2 have such security vulnerability when b3 is
> rolled out.
> 

It will.  The beta-2 release is also going to get pulled so that no one
will download it accidentally.

> Punky
> 

Craig


> 
> ----- Original Message -----
> From: "Craig R. McClanahan" <cr...@apache.org>
> To: <to...@jakarta.apache.org>
> Sent: Tuesday, April 03, 2001 7:38 AM
> Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability
> 
> 
> >
> >
> > On Mon, 2 Apr 2001, Mel Martinez wrote:
> >
> > >
> > > --- "Craig R. McClanahan" <cr...@apache.org> wrote:
> > > >
> > > > I suggest that we create a revised version of beta
> > > > 2, clearly labelled so
> > > > that people will know whether they have the
> > > > corrected version or not --
> > > > and we should do this immediately (like today) to
> > > > minimize the number of
> > > > people who end up downloading twice.
> > > >
> > > > I suggest we call the updated version "Tomcat
> > > > 4.0-beta-2-update-1" or
> > > > something like that.
> > > >
> > > > Comments?  Votes?
> > > >
> > >
> > > I vote you just call it  "Tomcat-4.0-beta-3".  I don't
> > > recall ever being told there were limits to the number
> > > of betas one can produce.  :-)  I believe that a new
> > > beta number is justified by any significant bug fix or
> > > fixes and a security hole is definitely significant,
> > > even if the code change may be tiny.
> > >
> > > By labeling it 'beta-3' it is CLEARLY the latest build
> > > and CLEARLY newer than beta-2.
> > >
> >
> > Makes sense to me.  "Beta 3" it is.
> >
> > > fwiw,
> > >
> > > Dr. Mel Martinez
> > > G1440, Inc.
> > >
> >
> > Craig
> 
>

Re: Tomcat 4.0-beta-2 Security Vulnerability

Posted by Punky Tse <pu...@yahoo.com>.

And I think it is also good to state in the mail-announcement and in the
jakarta website that the b2 have such security vulnerability when b3 is
rolled out.

Punky


----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: <to...@jakarta.apache.org>
Sent: Tuesday, April 03, 2001 7:38 AM
Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability


>
>
> On Mon, 2 Apr 2001, Mel Martinez wrote:
>
> >
> > --- "Craig R. McClanahan" <cr...@apache.org> wrote:
> > >
> > > I suggest that we create a revised version of beta
> > > 2, clearly labelled so
> > > that people will know whether they have the
> > > corrected version or not --
> > > and we should do this immediately (like today) to
> > > minimize the number of
> > > people who end up downloading twice.
> > >
> > > I suggest we call the updated version "Tomcat
> > > 4.0-beta-2-update-1" or
> > > something like that.
> > >
> > > Comments?  Votes?
> > >
> >
> > I vote you just call it  "Tomcat-4.0-beta-3".  I don't
> > recall ever being told there were limits to the number
> > of betas one can produce.  :-)  I believe that a new
> > beta number is justified by any significant bug fix or
> > fixes and a security hole is definitely significant,
> > even if the code change may be tiny.
> >
> > By labeling it 'beta-3' it is CLEARLY the latest build
> > and CLEARLY newer than beta-2.
> >
>
> Makes sense to me.  "Beta 3" it is.
>
> > fwiw,
> >
> > Dr. Mel Martinez
> > G1440, Inc.
> >
>
> Craig

Re: Tomcat 4.0-beta-2 Security Vulnerability

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Mon, 2 Apr 2001, Mel Martinez wrote:

> 
> --- "Craig R. McClanahan" <cr...@apache.org> wrote:
> > 
> > I suggest that we create a revised version of beta
> > 2, clearly labelled so
> > that people will know whether they have the
> > corrected version or not --
> > and we should do this immediately (like today) to
> > minimize the number of
> > people who end up downloading twice.
> > 
> > I suggest we call the updated version "Tomcat
> > 4.0-beta-2-update-1" or
> > something like that.
> > 
> > Comments?  Votes?
> > 
> 
> I vote you just call it  "Tomcat-4.0-beta-3".  I don't
> recall ever being told there were limits to the number
> of betas one can produce.  :-)  I believe that a new
> beta number is justified by any significant bug fix or
> fixes and a security hole is definitely significant,
> even if the code change may be tiny.
> 
> By labeling it 'beta-3' it is CLEARLY the latest build
> and CLEARLY newer than beta-2.
> 

Makes sense to me.  "Beta 3" it is.

> fwiw,
> 
> Dr. Mel Martinez
> G1440, Inc.
>  

Craig

Re: Tomcat 4.0-beta-2 Security Vulnerability

Posted by Mel Martinez <me...@yahoo.com>.

--- "Craig R. McClanahan" <cr...@apache.org> wrote:
> 
> I suggest that we create a revised version of beta
> 2, clearly labelled so
> that people will know whether they have the
> corrected version or not --
> and we should do this immediately (like today) to
> minimize the number of
> people who end up downloading twice.
> 
> I suggest we call the updated version "Tomcat
> 4.0-beta-2-update-1" or
> something like that.
> 
> Comments?  Votes?
> 

I vote you just call it  "Tomcat-4.0-beta-3".  I don't
recall ever being told there were limits to the number
of betas one can produce.  :-)  I believe that a new
beta number is justified by any significant bug fix or
fixes and a security hole is definitely significant,
even if the code change may be tiny.

By labeling it 'beta-3' it is CLEARLY the latest build
and CLEARLY newer than beta-2.

fwiw,

Dr. Mel Martinez
G1440, Inc.

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text