[ANNOUNCEMENT] Tomcat 3.3 updated to deal with DOS vulnerability on Windows

[Larry Isaacs <La...@sas.com>]

A denial-of-service vulnerability was recently discovered
affecting Tomcat 3.3 running on Windows systems.  A special
HTTP request can cause the request to hang and never complete.
This prevents the thread handling the request from handling
any further requests until Tomcat is restarted.  Other systems
are not affected, and both Tomcat 3.2.x and Tomcat 4.x do not
have this vulnerability.

The Tomcat 3.3 site now contains Tomcat version 3.3a which has
a minimum of changes needed to avoid the vulnerability.  In
addition to the full binary distribution, jars are available
so that an existing Tomcat 3.3 site may be updated.  For
details, see:
<http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3/bin/>

It is recommended that everyone using Tomcat 3.3 on Windows systems
upgrade to 3.3a using the binary distribution or update jar(s).

Updated source is also available, and may be found here:

<http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3/src/>

For consistency, affected RPMs have been updated to 3.3a.  Since
only Windows systems are vulnerable, updating is optional.

For those who do not require an officially released version,
you are welcome to consider using the current Tomcat 3.3.1-dev
release.  Since Tomcat 3.3.x is in maintenance mode, no major
changes have occurred since Tomcat 3.3 Final's release.  You
should find 3.3.1-dev as stable as 3.3 and more bug free.
To view what has been done so far, see:

<http://cvs.apache.org/viewcvs/jakarta-tomcat/RELEASE-NOTES-3.3.1.txt?rev=1.22&content-type=text/vnd.viewcvs-markup>

The binary distribution for Tomcat 3.3.1-dev may be found at:

<http://jakarta.apache.org/builds/jakarta-tomcat/nightly-3.3.x/>

Work is underway to bring Tomcat 3.3.1 to a release.  Hopefully
in the next two to three weeks.


Larry Isaacs

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>