summaryrefslogtreecommitdiff
path: root/x11
diff options
context:
space:
mode:
authorjwise <jwise>2001-03-28 02:46:07 +0000
committerjwise <jwise>2001-03-28 02:46:07 +0000
commitd2e41a48d323569a0be456d0eb7a58cfc6e09ec1 (patch)
treed5f981afc246f2a282169bb6eff1745090ea6b9f /x11
parent9c2a7f6167eb2a35a2c921d4eee9bcde4e051ee8 (diff)
downloadpkgsrc-d2e41a48d323569a0be456d0eb7a58cfc6e09ec1.tar.gz
Update jakarta-tomcat to version 3.2.1.
Changes in the package since version 3.1.1 (the last pkgsrc version): ===================================================================== * tomcat is now always installed under ${PREFIX}/tomcat. Making ${TOMCAT_HOME} configurable added much complexity for not real gain. It had been my intention to aim for a hier(7) like install for tomcat with this version, but at this point there are way to many hard-coded relative paths (relative to tomcat.home) in tomcat, and in addition, all of the (quite good, really) documentation assumes the standard install paths. Note that the previous default value of ${TOMCAT_HOME} was ${PREFIX}/jakarta/tomcat. * an rc.subr compatible (but not requiring) startup script is now installed as ${PREFIX}/etc/rc.d/tomcat. * if Sun's JSSE (Java Secure Socket Extensions) is in ${CLASSPATH} when the pkg is built, tomcat will be built with support for SSL in the standalone server mode. This soft dependency will be replaced by a hard dependency as soon as I get a chance to import a JSSE package (soon). * likewise, I will import an ap-jk package for the new apache connector (mod_jk) soon. ap-jserv continues to be usable for this purpose. Changes in tomcat itself since version 3.1.1: ============================================= New in tomcat-3.2.1: -------------------- Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2 (final) code base. The following changes are included: - Disallowed requesting JSP pages under the WEB-INF directory (/WEB-INF/dummy.jsp). Previously, only requests for static files were being disallowed. - The JDBCRealm request interceptor will now log the description of any JDBC exception that occurs, to aid in debugging. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1 (note that these fixes were also made to the tomcat-3.1 branch in tomcat 3.1.1) Protection of Resources in /WEB-INF and /META-INF Directories The servlet specification prohibits servlet containers from serving resources in the /WEB-INF and /META-INF directories of a web application archive directly to clients. In Tomcat 3.2, this means that URLs like: http://localhost:8080/examples/WEB-INF/web.xml will return an error message, rather than the contents of your deployment descriptor. However, there is a vulnerability in Tomcat 3.2 that exposes this information if the client requests a URL like this instead: http://localhost:8080/examples//WEB-INF/web.xml (note the double slash before "WEB-INF"). This vulnerability has been corrected in Tomcat 3.2.1. Show Source Vulnerability The example application delivered with Tomcat 3.2 included a mechanism to display the source code for the JSP page examples. This mechanism could be used to bypass the restrictions on displaying sensitive information in the WEB-INF and META-INF directories. This vulnerability has been removed. New in tomcat-3.2: ------------------ Tomcat 3.2 is mainly a performance tune-up release, although a few new features have been added. - Support for mod_jk, which is a replacement to the elderly mod_jserv, has had several bugs fixed and has received much more testing. It is now recommended that all users use mod_jk instead of mod_jserv. - Support JAXP-based XML parser independence. - New and often requested "how-to" documents covering the following topics: - Configuring workers.properties - IIS and Netscape configuration - Running tomcat inside an IIS or Netscape process - Running Tomcat as a Windows NT service - Configuring a JDBC realm - Configuring mod_jk - First round of policy-based security support intended for running untrusted code inside of Tomcat. Interested users should test this support and post feedback to the Tomcat users mailing list. - SSL support for standalone Tomcat. (Preliminary support first appeared in 3.1, but the support in 3.2 has received more testing and documentation support). - Thread reuse is now enabled by default. The thread pool support code was part of 3.1, but not enabled since it was new. - Support for plug-able session managers. Unfortunately, no how-to documents that support this functionality exist (yet). For the adventurous, be aware that the interface that allows administrators to plug session managers is the normal Interceptor interface. - An almost total rewrite of the HTTP request handling now results in improved performance when running Tomcat stand-alone. - Significantly reduced garbage collection. - The code underwent a refactoring effort resulting in improved readability. - And of course, hundreds of miscellaneous improvements and fixes.
Diffstat (limited to 'x11')
0 files changed, 0 insertions, 0 deletions