Date: Thu, 26 Sep 2002 20:27:43 +0200 (CEST) From: Thomas Vogt <thomas.vogt@bsdunix.ch> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/43399: Update port: jakarta-tomcat4 (security issue) Message-ID: <200209261827.g8QIRhHg004765@calahan.bsdunix.ch>
next in thread | raw e-mail | index | archive | help
>Number: 43399 >Category: ports >Synopsis: Update port: jakarta-tomcat4 (security issue) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Sep 26 11:30:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Thomas Vogt >Release: FreeBSD 4.6-STABLE i386 >Organization: >Environment: System: FreeBSD calahan.bsdunix.ch 4.6-STABLE FreeBSD 4.6-STABLE #0: Sat Aug 31 01:14:55 CEST 2002 root@calahan.bsdunix.ch:/usr/obj/usr/src/sys/TURBO i386 >Description: From jakarta.apache.org: "24 September 2002 - Security updates: Tomcat 4.1.12 Stable and Tomcat 4.0.5 Released A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or under special circumstances a static resource which would otherwise have been protected by security constraint, without the need of being properly authenticated. Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. This particular configuration is available in the default Tomcat configuration." or see Bugtraq Mailinglist where you can find also some examples. >How-To-Repeat: See Bugtraq >Fix: An easy workaround exists for existing Tomcat installation, by disabling the invoker servlet in the default webapp configuration. In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment: <servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping> The Apache Tomcat Team announces the immediate availability of new releases which include a fix to the invoker servlet. or use jakarta-tomcat 4.0.5 diff -ruN jakarta-tomcat4.bak/Makefile jakarta-tomcat4/Makefile --- jakarta-tomcat4.bak/Makefile Thu Sep 26 20:20:02 2002 +++ jakarta-tomcat4/Makefile Thu Sep 26 19:58:15 2002 @@ -6,7 +6,7 @@ # PORTNAME= jakarta-tomcat -PORTVERSION= 4.0.4 +PORTVERSION= 4.0.5 CATEGORIES= www java MASTER_SITES= http://jakarta.apache.org/builds/jakarta-tomcat-${PORTVERSION:R}/release/v${PORTVERSION}/bin/ \ http://www.metaverse.nl/~ernst/ \ diff -ruN jakarta-tomcat4.bak/distinfo jakarta-tomcat4/distinfo --- jakarta-tomcat4.bak/distinfo Thu Sep 26 20:20:11 2002 +++ jakarta-tomcat4/distinfo Thu Sep 26 19:58:07 2002 @@ -1 +1 @@ -MD5 (jakarta-tomcat-4.0.4.tar.gz) = e4dd59d75acaa6a24b5faab750d3d247 +MD5 (jakarta-tomcat-4.0.5.tar.gz) = bc78eff46cbc932425761e4ab6dfcb1e >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209261827.g8QIRhHg004765>