summaryrefslogtreecommitdiff
path: root/www/jakarta-tomcat/patches
diff options
context:
space:
mode:
authorjwise <jwise>2000-12-13 03:49:30 +0000
committerjwise <jwise>2000-12-13 03:49:30 +0000
commit9a47a9cd3f233418394d98498d038bd8c6b4c13b (patch)
tree80815636789987014bc0e0751e38f94f1d729735 /www/jakarta-tomcat/patches
parentba3be746201a63d57f15d01d4bb71165d069fd26 (diff)
downloadpkgsrc-9a47a9cd3f233418394d98498d038bd8c6b4c13b.tar.gz
Update jakarta-tomcat to 3.1.1. This is a security fix release, and the
vulnerabilities file will be updated. Changes from jakarta-tomcat-3.1: =============================================================================== 6. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.1.1 6.1 Administrative Application Enabled By Default The administrative application (at context path "/admin") was enabled by default in Tomcat 3.1, which allowed unauthenticated remote users to add and remove appliations from a running Tomcat 3.1 installation if it was left installed. To avoid such problems, the administrative application has been removed from the binary distribution of Tomcat 3.1.1. It can be installed if desired by: - Downloading the source distribution of Tomcat 3.1.1. - Modifying the "build.xml" file to remove the commenting around the logic that creates the adminstrative application. - Running the build.sh or build.bat script. 6.2 Case Sensitive Matches on Static Resources In Tomcat 3.1, matches against the filenames of static resources was done in a case insensitive manner on case insensitive platforms (such as Microsoft Windows). This can cause sensitive information to be exposed to remote users who experiment with differently cased request URIs. To avoid such problems, Tomcat 3.1.1 performs filename comparisons for static resources in a case sensitive manner, even on Windows. This means that your hyperlinks must specify the correct case, or a 404 error will be returned. Because this can cause significant conversion problems for existing applications deployed on Tomcat 3.1, a configuration option is provided to temporarily turn off case sensitive matching. Edit the file "conf/web.xml" and modify the value for the "caseSensitive" initialization parameter to the default file-serving servlet. WARNING: CHANGING THIS SETTING WILL RE-INTRODUCE THE SECURITY VULNERABILITY PRESENT IN TOMCAT 3.1 -- IT IS *STRONGLY* RECOMMENDED THAT YOU CORRECT YOUR URLS TO MATCH CORRECTLY INSTEAD OF USING THIS OPTION. Note: All later versions of Tomcat perform filename matches in a case sensitive manner. 6.3 Snoop Servlet Mappings in Example Application In the deployment descriptor for the example application delivered with Tomcat 3.1, a "snoop" servlet was mapped to URL patterns "/snoop" and "*.snp". Theses mappings (in particular the second one) could cause exposure of sensitive information on the internal organization of your web application (for example, when a non-existent page "foo.snp" is requested). To avoid these problems, the offending mappings have been commented out. 6.4 Show Source Vulnerability The example application delivered with Tomcat 3.1 included a mechanism to display the source code for the JSP page examples. This mechanism could be used to bypass the restrictions on displaying sensitive information in the WEB-INF and META-INF directories. This vulnerability has been removed. 6.5 Requesting Unknown JSP Pages In Tomcat 3.1, the error message in response to a request for an unknown JSP page would include the absolute disk file pathname of the corresponding file which could not be found, which exposes sensitive information about how your application is deployed. The error message has been adjusted to include only the context-relative path of the JSP page which could not be found. 6.6 Session ID Vulnerability The algorithm used to calculate session identifiers for new sessions was subject to attack by attempting to guess what the next session identifier will be, and therefore hijack the session. In addition, the generated identifier exposed sensitive information (the number of sessions that have been created since this web application was started. To avoid these problems, the session identifier generation algorithm has been replaced by the algorithm used in Tomcat 3.2, which is not subject to these attacks, and does not expose session count information. 6.7 Server Shutdown Vulnerability In Tomcat 3.1, it was possible to establish a remote network connection to the AJP12 connector and cause Tomcat to shut itself down. Now, this network connection must be created from the same server that Tomcat is running on. NOTE: While this is more secure than Tomcat 3.1 (and mirrors the protection provided by Tomcat 3.2), it is still vulnerable to attack by users who can create socket connections from the server. Suitable use of firewalls and "TCP Wrappers" applications are suggested around the APJ12 port.
Diffstat (limited to 'www/jakarta-tomcat/patches')
-rw-r--r--www/jakarta-tomcat/patches/patch-aa22
-rw-r--r--www/jakarta-tomcat/patches/patch-ab54
2 files changed, 38 insertions, 38 deletions
diff --git a/www/jakarta-tomcat/patches/patch-aa b/www/jakarta-tomcat/patches/patch-aa
index a7f2a7e459e..a86be3ed5f5 100644
--- a/www/jakarta-tomcat/patches/patch-aa
+++ b/www/jakarta-tomcat/patches/patch-aa
@@ -1,12 +1,12 @@
-$NetBSD: patch-aa,v 1.3 2000/09/03 13:38:49 wiz Exp $
---- build.xml.orig Sun May 14 17:16:26 2000
-+++ build.xml Sun May 14 17:17:45 2000
+$NetBSD: patch-aa,v 1.4 2000/12/13 03:49:30 jwise Exp $
+--- build.xml.orig Tue Dec 12 14:50:46 2000
++++ build.xml Tue Dec 12 18:53:17 2000
@@ -6,7 +6,7 @@
- <property name="ant.home" value="../jakarta-ant" />
- <property name="build.compiler" value="classic"/>
- <property name="tomcat.build" value="../build/tomcat"/>
-- <property name="tomcat.home" value="../dist/tomcat"/>
-+ <property name="tomcat.home" value="@JAKARTA_HOME@/tomcat"/>
- </target>
-
- <!-- ==================== Copy static files ==================== -->
+ <property name="ant.home" value="../jakarta-ant" />
+ <property name="build.compiler" value="classic"/>
+ <property name="tomcat.build" value="../build/tomcat"/>
+- <property name="tomcat.home" value="../dist/tomcat"/>
++ <property name="tomcat.home" value="@JAKARTA_HOME@/tomcat"/>
+ </target>
+
+ <!-- ==================== Copy static files ==================== -->
diff --git a/www/jakarta-tomcat/patches/patch-ab b/www/jakarta-tomcat/patches/patch-ab
index 34704764c9a..a096b997422 100644
--- a/www/jakarta-tomcat/patches/patch-ab
+++ b/www/jakarta-tomcat/patches/patch-ab
@@ -1,28 +1,28 @@
-$NetBSD: patch-ab,v 1.3 2000/09/03 13:38:49 wiz Exp $
---- ./src/share/org/apache/tomcat/task/ApacheConfig.java.orig Sun May 14 18:11:20 2000
-+++ ./src/share/org/apache/tomcat/task/ApacheConfig.java Sun May 14 18:13:28 2000
+--- src/share/org/apache/tomcat/task/ApacheConfig.java.orig Tue Dec 12 14:51:28 2000
++++ src/share/org/apache/tomcat/task/ApacheConfig.java Tue Dec 12 18:58:28 2000
@@ -97,7 +97,7 @@
- } else {
- // XXX XXX change it to mod_jserv_${os.name}.so, put all so in tomcat
- // home
-- pw.println("LoadModule jserv_module libexec/mod_jserv.so");
-+ pw.println("LoadModule jserv_module @LOCALBASE@/lib/httpd/mod_jserv.so");
- }
-
- pw.println("ApJServManual on");
-@@ -105,13 +105,14 @@
- pw.println("ApJServSecretKey DISABLED");
- pw.println("ApJServMountCopy on");
- pw.println("ApJServLogLevel notice");
-+ pw.println("ApJServLogFile /var/log/httpd/jserv/mod_jserv.log");
- pw.println();
-
- // XXX read it from ContextManager
- pw.println("ApJServDefaultPort 8007");
-
- pw.println();
-- pw.println("AddType test/jsp .jsp");
-+ pw.println("AddType text/jsp .jsp");
- pw.println("AddHandler jserv-servlet .jsp");
-
-
+ } else {
+ // XXX XXX change it to mod_jserv_${os.name}.so, put all so in tomcat
+ // home
+- pw.println("LoadModule jserv_module libexec/mod_jserv.so");
++ pw.println("LoadModule jserv_module @LOCALBASE@/lib/httpd/mod_jserv.so");
+ }
+
+ pw.println("ApJServManual on");
+@@ -105,13 +105,15 @@
+ pw.println("ApJServSecretKey DISABLED");
+ pw.println("ApJServMountCopy on");
+ pw.println("ApJServLogLevel notice");
++ pw.println("ApJServLogFile /var/log/httpd/jserv/mod_jserv.log");
++
+ pw.println();
+
+ // XXX read it from ContextManager
+ pw.println("ApJServDefaultPort 8007");
+
+ pw.println();
+- pw.println("AddType test/jsp .jsp");
++ pw.println("AddType text/jsp .jsp");
+ pw.println("AddHandler jserv-servlet .jsp");
+
+