Daemon News Ezine BSD News BSD Mall BSD Support Forum BSD Advocacy BSD Updates
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10),
which allows to use a specially crafted URL to return the
unprocessed source of a JSP page, or under special circumstances a
static resource which would otherwise have been protected by
security constraint, without the need of being properly
authenticated.
Using the invoker servlet in conjunction with the default servlet
(responsible for handling static content in Tomcat) triggers this
vulnerability. This particular configuration is available in the
default Tomcat configuration."

More information also available at bugtraq.

>How-To-Repeat:
See Bugtraq Mailinglist

>Fix:
Workaround from jakarta.apache.org:
"An easy workaround exists for
existing Tomcat installation, by disabling the invoker servlet in
the default webapp configuration.
In the $CATALINA_HOME/conf/web.xml file (on Windows,
%CATALINA_HOME%\conf\web.xml), comment out or remove the following
XML fragment:
<servlet-mapping> <servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern> </servlet-mapping>
The Apache Tomcat Team announces the immediate availability of new
releases which include a fix to the invoker servlet."

You can also update to jakarta-tomcat 4.1.12

diff -ruN jakarta-tomcat41.bak/Makefile jakarta-tomcat41/Makefile
--- jakarta-tomcat41.bak/Makefile	Thu Sep 26 19:58:55 2002
+++ jakarta-tomcat41/Makefile	Thu Sep 26 20:02:16 2002
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	jakarta-tomcat
-PORTVERSION=	4.1.10
+PORTVERSION=	4.1.12
 CATEGORIES=	www java
 MASTER_SITES=	http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v${PORTVERSION}/bin/ \
 		http://www.metaverse.nl/~ernst/ \


diff -ruN jakarta-tomcat41.bak/distinfo jakarta-tomcat41/distinfo
--- jakarta-tomcat41.bak/distinfo	Thu Sep 26 19:58:47 2002
+++ jakarta-tomcat41/distinfo	Thu Sep 26 20:03:00 2002
@@ -1 +1 @@
-MD5 (jakarta-tomcat-4.1.10.tar.gz) = c7aa5471efb1266f51e2917dcd0449e1
+MD5 (jakarta-tomcat-4.1.12.tar.gz) = 9689590820aa31ab401fced8e2ebeb5a
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@xxxxxxxxxxx
with "unsubscribe freebsd-ports" in the body of the message