43503 – Jakarta Tomcat 4.0.x security update (4.0.5)

Bug 43503 - Jakarta Tomcat 4.0.x security update (4.0.5)

Summary: Jakarta Tomcat 4.0.x security update (4.0.5)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Ernst de Haan

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-09-30 07:50 UTC by Ernst de Haan
Modified:	2002-09-30 13:44 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ernst de Haan freebsd_committer

2002-09-30 07:50:02 UTC

A security vulnerability has been confirmed to exist in all Apache Tomcat 4.x
versions (including Tomcat 4.0.4 and Tomcat 4.1.10), which allows to use a
specially crafted URL to return the unprocessed source of a JSP page, or under
special circumstances a static resource which would otherwise have been
protected by security constraint, without the need of being properly
authenticated.

Using the invoker servlet in conjunction with the default servlet (responsible
for handling static content in Tomcat) triggers this vulnerability. This
particular configuration is available in the default Tomcat configuration. An
easy workaround exists for existing Tomcat installation, by disabling the
invoker servlet in the default webapp configuration.

The Tomcat 4.0.x port should be updated to 4.0.5.

See:	http://jakarta.apache.org/site/news.html

Comment 1 Ernst de Haan freebsd_committer

2002-09-30 07:51:24 UTC

Responsible Changed
From-To: freebsd-ports->znerd

I'll handle this myself.

Comment 2 ernst.dehaan 2002-09-30 08:00:22 UTC

Here's a patch:
http://people.FreeBSD.org/~znerd/tomcat4.0.5.diff

Comment 3 Ernst de Haan freebsd_committer

2002-09-30 13:44:19 UTC

State Changed
From-To: open->closed

Committed.