From owner-freebsd-ports Sun Sep 29 23:50: 7 2002 Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DA7937B404 for ; Sun, 29 Sep 2002 23:50:04 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 811CB43E81 for ; Sun, 29 Sep 2002 23:50:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8U6o2Co058649 for ; Sun, 29 Sep 2002 23:50:02 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8U6o2CA058648; Sun, 29 Sep 2002 23:50:02 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DD3C37B401 for ; Sun, 29 Sep 2002 23:44:41 -0700 (PDT) Received: from zaphod.euronet.nl (zaphod.euronet.nl [194.134.168.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7AFD43E42 for ; Sun, 29 Sep 2002 23:44:40 -0700 (PDT) (envelope-from ernst@zaphod.euronet.nl) Received: from zaphod.euronet.nl (localhost [127.0.0.1]) by zaphod.euronet.nl (8.12.5/8.12.5) with ESMTP id g8U6ilAF052619 for ; Mon, 30 Sep 2002 08:44:47 +0200 (CEST) (envelope-from ernst@zaphod.euronet.nl) Received: (from ernst@localhost) by zaphod.euronet.nl (8.12.5/8.12.5/Submit) id g8U6ik7f052618; Mon, 30 Sep 2002 08:44:46 +0200 (CEST) Message-Id: <200209300644.g8U6ik7f052618@zaphod.euronet.nl> Date: Mon, 30 Sep 2002 08:44:46 +0200 (CEST) From: Ernst de Haan Reply-To: Ernst de Haan To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/43503: Jakarta Tomcat 4.0.x security update (4.0.5) Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43503 >Category: ports >Synopsis: Jakarta Tomcat 4.0.x security update (4.0.5) >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sun Sep 29 23:50:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Ernst de Haan >Release: FreeBSD 4.6-STABLE i386 >Organization: FreeBSD Project >Environment: System: FreeBSD zaphod.euronet.nl 4.6-STABLE FreeBSD 4.6-STABLE #11: Mon Sep 2 10:15:56 CEST 2002 root@zaphod.euronet.nl:/usr/obj/usr/src/sys/ZAPHOD i386 >Description: A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or under special circumstances a static resource which would otherwise have been protected by security constraint, without the need of being properly authenticated. Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. This particular configuration is available in the default Tomcat configuration. An easy workaround exists for existing Tomcat installation, by disabling the invoker servlet in the default webapp configuration. The Tomcat 4.0.x port should be updated to 4.0.5. See: http://jakarta.apache.org/site/news.html >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message