Gentoo Archives: gentoo-announce

From:	Daniel Ahlberg <aliz@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] GLSA: tomcat
Date:	Wed, 25 Sep 2002 07:09:43
Message-Id:	`200209251409.38311.aliz@gentoo.org`

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - --------------------------------------------------------------------
5	GENTOO LINUX SECURITY ANNOUNCEMENT
6	- - --------------------------------------------------------------------
7
8	PACKAGE :tomcat
9	SUMMARY :source exposure
10	DATE :2002-09-25 11:30 UTC
11
12	- - --------------------------------------------------------------------
13
14	OVERVIEW
15
16	Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
17	vulnerable to
18	source code exposure by using the default servlet
19	org.apache.catalina.servlets.DefaultServlet.
20
21	DETAIL
22
23	Let say you have valid URL like http://my.site/login.jsp, then an URL like
24	http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
25	will give you the source code of the JSP page.
26
27	The full syntaxes of the exposure URL is:
28
29	http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
30	/[context_relative_path/]file_name.jsp
31
32	More information can be found at:
33
34	http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0
35
36
37	SOLUTION
38
39	It is recommended that all Gentoo Linux users who are running
40	net-www/tomcat-4.04 and earlier update their systems
41	as follows:
42
43	emerge rsync
44	emerge tomcat
45	emerge clean
46
47	- - --------------------------------------------------------------------
48	aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
49	- - --------------------------------------------------------------------
50	-----BEGIN PGP SIGNATURE-----
51	Version: GnuPG v1.0.7 (GNU/Linux)
52
53	iD8DBQE9kaeBfT7nyhUpoZMRAsJTAKCqg0U1g66H0La0/V6plwi+wOHcCACdEUum
54	VWwU9nlWMXrt1A4p52F30m8=
55	=xzdY
56	-----END PGP SIGNATURE-----

Report Message

Find on MARC Find on Google Groups