Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Sep 2002 08:45:25 +0200 (CEST)
From:      Ernst de Haan <znerd@FreeBSD.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/43504: Jakarta Tomcat 4.1.x security update (4.1.12)
Message-ID:  <200209300645.g8U6jPkx052702@zaphod.euronet.nl>
next in thread | raw e-mail | index | archive | help 

>Number:         43504
>Category:       ports
>Synopsis:       Jakarta Tomcat 4.1.x security update (4.1.12)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 29 23:50:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Ernst de Haan
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
FreeBSD Project
>Environment:
System: FreeBSD zaphod.euronet.nl 4.6-STABLE FreeBSD 4.6-STABLE #11: Mon Sep 2 10:15:56 CEST 2002 root@zaphod.euronet.nl:/usr/obj/usr/src/sys/ZAPHOD i386
>Description:
A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x
versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a
specially crafted URL to return the unprocessed source of a JSP page, or under
special circumstances a static resource which would otherwise have been
protected by security constraint, without the need of being properly
authenticated.

Using the invoker servlet in conjunction with the default servlet (responsible
for handling static content in Tomcat) triggers this vulnerability. This
particular configuration is available in the default Tomcat configuration. An
easy workaround exists for existing Tomcat installation, by disabling the
invoker servlet in the default webapp configuration.

The Tomcat 4.1.x port should be updated to 4.1.12.

See:	http://jakarta.apache.org/site/news.html
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209300645.g8U6jPkx052702>