You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Craig R. McClanahan" <Cr...@eng.sun.com> on 2000/12/13 01:31:57 UTC
[ANNOUNCEMENT] Security Related Updates - Tomcat 3.1.1 and Tomcat 3.2.1
Recent investigations and reports have revealed security vulnerabilities in both
Tomcat 3.1 and Tomcat 3.2 final releases. To deal with these problems, the
Tomcat team has developed maintenance releases, and recommended actions, for
each major version. (Tomcat 4.0 milestone 4 shares one of these vulnerabilities
that will be fixed in the upcoming milestone 5 release, which is imminent.)
TOMCAT 3.1 USERS
* There are seven identified vulnerabilities that are documented in the
Release Notes for Tomcat 3.1.1 (file "doc/readme" in the distribution).
* To deal with these problems for users who are unable to upgrade,
a maintenance release, Tomcat 3.1.1, has been prepared. You can
download it at:
http://jakarta.apache.org/builds/tomcat/release/v3.1.1/bin/
* This release fixes ***only*** the identified security vulnerabilities. It
does
not address any of the other bugs that exist in Tomcat 3.1. No future
maintenance release of Tomcat 3.1 is planned to deal with these issues.
* You are ***strongly*** encouraged to upgrade to Tomcat 3.2.1 as quickly
as possible. In doing so, you will benefit from these security
vulnerabilities
being fixed, performance improvements, new features, and a large number
of non-security related bug fixes. See below for the download URL.
* In the event that you are not able to upgrade immediately, the corrective
action is to download the binary distribution, and replace the appropriate
contents in the $TOMCAT_HOME directory. There is no need to modify
any of the binary components (such as the mod_jserv component used to
connect Tomcat to Apache).
* In addition, if you have not removed it already (or built your own security
mechanisms to protect it), you should remove the Tomcat 3.1
administrative application by deleting the $TOMCAT_HOME/webapps/admin
directory.
TOMCAT 3.2 USERS
* There are two identified vulnerabilities that are documented in the
Release Notes for Tomcat 3.2.1 (file "doc/readme" in the distribution).
These vulnerabilities have been fixed in Tomcat 3.2.1.
* You can download this security maintenance release at:
http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/
* You are ***strongly*** encouraged to download and install this
update as quickly as possible.
* This release fixes ***only*** the identified security vulnerabilities.
It does not address any of the other bugs, or feature requests, related
to Tomcat 3.2 final. These issues will be dealt with in future
maintenance releases of Tomcat 3.2 as appropriate.
* The corrective action is to download the binary distribution, and
replace the appropriate contents in the $TOMCAT_HOME directory.
There is no need to modify any of the binary components (such as the
mod_jserv component used to connect Tomcat to Apache).
Craig McClanahan
Re: [ANNOUNCEMENT] Security Related Updates - Tomcat 3.1.1 and Tomcat
3.2.1
Posted by Horace Vallas <ha...@hav.com>.
het Craig - sorry to be dense - but what are the "appropriate contents"
that should be replaced by 3.2.1? Is this just the various jar's in /lib?
--
Wishing you an "OOBA OOBA" Y2K
Horace ...once known as "Kicker" :-)
================================================================
Horace Vallas hav.Software http://www.hav.com/
P.O. Box 354 hav@hav.com
Richmond, Tx. 77406-0354 voice: 281-341-5035
USA fax: 281-341-5087
Thawte Web Of Trust Notary in SW Houston, Tx.
http://www.hav.com/?content=/thawteWOTnotary.htm
================================================================
...drop by and chat if I'm online http://www.hav.com/chat/
=== === === === === === === === === === ====
What is a Vet? ... He is the barroom loudmouth, dumber than five
wooden planks, whose overgrown frat-boy behavior is outweighed a
hundred times in the cosmic scales by four hours of exquisite
bravery near the 38th parallel. ... - Unknown
http://www.hav.com/vet.htm
================================================================
>
> TOMCAT 3.2 USERS
>
> * There are two identified vulnerabilities that are documented in the
> Release Notes for Tomcat 3.2.1 (file "doc/readme" in the distribution).
> These vulnerabilities have been fixed in Tomcat 3.2.1.
>
> * You can download this security maintenance release at:
>
> http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/
>
> * You are ***strongly*** encouraged to download and install this
> update as quickly as possible.
>
> * This release fixes ***only*** the identified security vulnerabilities.
> It does not address any of the other bugs, or feature requests, related
> to Tomcat 3.2 final. These issues will be dealt with in future
> maintenance releases of Tomcat 3.2 as appropriate.
>
> * The corrective action is to download the binary distribution, and
> replace the appropriate contents in the $TOMCAT_HOME directory.
> There is no need to modify any of the binary components (such as the
> mod_jserv component used to connect Tomcat to Apache).
>
Re: [ANNOUNCEMENT] Security Related Updates - Tomcat 3.1.1 and Tomcat
3.2.1
Posted by Horace Vallas <ha...@hav.com>.
het Craig - sorry to be dense - but what are the "appropriate contents"
that should be replaced by 3.2.1? Is this just the various jar's in /lib?
--
Wishing you an "OOBA OOBA" Y2K
Horace ...once known as "Kicker" :-)
================================================================
Horace Vallas hav.Software http://www.hav.com/
P.O. Box 354 hav@hav.com
Richmond, Tx. 77406-0354 voice: 281-341-5035
USA fax: 281-341-5087
Thawte Web Of Trust Notary in SW Houston, Tx.
http://www.hav.com/?content=/thawteWOTnotary.htm
================================================================
...drop by and chat if I'm online http://www.hav.com/chat/
=== === === === === === === === === === ====
What is a Vet? ... He is the barroom loudmouth, dumber than five
wooden planks, whose overgrown frat-boy behavior is outweighed a
hundred times in the cosmic scales by four hours of exquisite
bravery near the 38th parallel. ... - Unknown
http://www.hav.com/vet.htm
================================================================
>
> TOMCAT 3.2 USERS
>
> * There are two identified vulnerabilities that are documented in the
> Release Notes for Tomcat 3.2.1 (file "doc/readme" in the distribution).
> These vulnerabilities have been fixed in Tomcat 3.2.1.
>
> * You can download this security maintenance release at:
>
> http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/
>
> * You are ***strongly*** encouraged to download and install this
> update as quickly as possible.
>
> * This release fixes ***only*** the identified security vulnerabilities.
> It does not address any of the other bugs, or feature requests, related
> to Tomcat 3.2 final. These issues will be dealt with in future
> maintenance releases of Tomcat 3.2 as appropriate.
>
> * The corrective action is to download the binary distribution, and
> replace the appropriate contents in the $TOMCAT_HOME directory.
> There is no need to modify any of the binary components (such as the
> mod_jserv component used to connect Tomcat to Apache).
>
Re: [ANNOUNCEMENT] Security Related Updates - Tomcat 3.1.1 and Tomcat
3.2.1
Posted by Horace Vallas <ha...@hav.com>.
het Craig - sorry to be dense - but what are the "appropriate contents"
that should be replaced by 3.2.1? Is this just the various jar's in /lib?
--
Wishing you an "OOBA OOBA" Y2K
Horace ...once known as "Kicker" :-)
================================================================
Horace Vallas hav.Software http://www.hav.com/
P.O. Box 354 hav@hav.com
Richmond, Tx. 77406-0354 voice: 281-341-5035
USA fax: 281-341-5087
Thawte Web Of Trust Notary in SW Houston, Tx.
http://www.hav.com/?content=/thawteWOTnotary.htm
================================================================
...drop by and chat if I'm online http://www.hav.com/chat/
=== === === === === === === === === === ====
What is a Vet? ... He is the barroom loudmouth, dumber than five
wooden planks, whose overgrown frat-boy behavior is outweighed a
hundred times in the cosmic scales by four hours of exquisite
bravery near the 38th parallel. ... - Unknown
http://www.hav.com/vet.htm
================================================================
>
> TOMCAT 3.2 USERS
>
> * There are two identified vulnerabilities that are documented in the
> Release Notes for Tomcat 3.2.1 (file "doc/readme" in the distribution).
> These vulnerabilities have been fixed in Tomcat 3.2.1.
>
> * You can download this security maintenance release at:
>
> http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/
>
> * You are ***strongly*** encouraged to download and install this
> update as quickly as possible.
>
> * This release fixes ***only*** the identified security vulnerabilities.
> It does not address any of the other bugs, or feature requests, related
> to Tomcat 3.2 final. These issues will be dealt with in future
> maintenance releases of Tomcat 3.2 as appropriate.
>
> * The corrective action is to download the binary distribution, and
> replace the appropriate contents in the $TOMCAT_HOME directory.
> There is no need to modify any of the binary components (such as the
> mod_jserv component used to connect Tomcat to Apache).
>