From owner-freebsd-ports  Thu Sep 26 11:20: 7 2002
Delivered-To: freebsd-ports@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9EE5937B404
	for <freebsd-ports@hub.freebsd.org>; Thu, 26 Sep 2002 11:20:03 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DBA7643E4A
	for <freebsd-ports@hub.freebsd.org>; Thu, 26 Sep 2002 11:20:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8QIK2Co075108
	for <freebsd-ports@freefall.freebsd.org>; Thu, 26 Sep 2002 11:20:02 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8QIK2Hb075107;
	Thu, 26 Sep 2002 11:20:02 -0700 (PDT)
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 03B8F37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Sep 2002 11:19:39 -0700 (PDT)
Received: from calahan.bsdunix.ch (zux187-250.adsl.green.ch [80.254.187.250])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C7A8D43E65
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Sep 2002 11:19:37 -0700 (PDT)
	(envelope-from turbo@bsdunix.ch)
Received: from calahan.bsdunix.ch (localhost [127.0.0.1])
	by calahan.bsdunix.ch (8.12.5/8.12.5) with ESMTP id g8QIJWRq004657
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 26 Sep 2002 20:19:33 +0200 (CEST)
	(envelope-from turbo@bsdunix.ch)
Received: (from turbo@localhost)
	by calahan.bsdunix.ch (8.12.5/8.12.5/Submit) id g8QIJWiX004656;
	Thu, 26 Sep 2002 20:19:32 +0200 (CEST)
Message-Id: <200209261819.g8QIJWiX004656@calahan.bsdunix.ch>
Date: Thu, 26 Sep 2002 20:19:32 +0200 (CEST)
From: Thomas Vogt <thomas.vogt@bsdunix.ch>
Reply-To: Thomas Vogt <thomas.vogt@bsdunix.ch>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: ports/43398: Update port: www/jakarta-tomcat41 (security fix)
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org


>Number:         43398
>Category:       ports
>Synopsis:       Update port: www/jakarta-tomcat41 (security fix)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 26 11:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Vogt
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
>Environment:
System: FreeBSD calahan.bsdunix.ch 4.6-STABLE FreeBSD 4.6-STABLE #0: Sat Aug 31 01:14:55 CEST 2002 root@calahan.bsdunix.ch:/usr/obj/usr/src/sys/TURBO i386

>Description:
From jakarta.apache.org:
"24 September 2002 - Security updates: Tomcat 4.1.12 Stable and Tomcat 4.0.5
Released

A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10),
which allows to use a specially crafted URL to return the
unprocessed source of a JSP page, or under special circumstances a
static resource which would otherwise have been protected by
security constraint, without the need of being properly
authenticated.
Using the invoker servlet in conjunction with the default servlet
(responsible for handling static content in Tomcat) triggers this
vulnerability. This particular configuration is available in the
default Tomcat configuration."

More information also available at bugtraq.

>How-To-Repeat:
See Bugtraq Mailinglist

>Fix:
Workaround from jakarta.apache.org:
"An easy workaround exists for
existing Tomcat installation, by disabling the invoker servlet in
the default webapp configuration.
In the $CATALINA_HOME/conf/web.xml file (on Windows,
%CATALINA_HOME%\conf\web.xml), comment out or remove the following
XML fragment:
<servlet-mapping> <servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern> </servlet-mapping>
The Apache Tomcat Team announces the immediate availability of new
releases which include a fix to the invoker servlet."

You can also update to jakarta-tomcat 4.1.12

diff -ruN jakarta-tomcat41.bak/Makefile jakarta-tomcat41/Makefile
--- jakarta-tomcat41.bak/Makefile	Thu Sep 26 19:58:55 2002
+++ jakarta-tomcat41/Makefile	Thu Sep 26 20:02:16 2002
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	jakarta-tomcat
-PORTVERSION=	4.1.10
+PORTVERSION=	4.1.12
 CATEGORIES=	www java
 MASTER_SITES=	http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v${PORTVERSION}/bin/ \
 		http://www.metaverse.nl/~ernst/ \


diff -ruN jakarta-tomcat41.bak/distinfo jakarta-tomcat41/distinfo
--- jakarta-tomcat41.bak/distinfo	Thu Sep 26 19:58:47 2002
+++ jakarta-tomcat41/distinfo	Thu Sep 26 20:03:00 2002
@@ -1 +1 @@
-MD5 (jakarta-tomcat-4.1.10.tar.gz) = c7aa5471efb1266f51e2917dcd0449e1
+MD5 (jakarta-tomcat-4.1.12.tar.gz) = 9689590820aa31ab401fced8e2ebeb5a
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message