-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------

PACKAGE        :tomcat
SUMMARY        :source exposure
DATE           :2002-09-25 11:30 UTC

--------------------------------------------------------------------

OVERVIEW

Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also) are
vulnerable to
source code exposure by using the default servlet
org.apache.catalina.servlets.DefaultServlet.

DETAIL

Let say you have valid URL like http://my.site/login.jsp, then an URL like
http://my.site/servlet/org.apache.catalina.servlets.DefaultServlet/login.jsp
will give you the source code of  the JSP page.

The full syntaxes of the exposure URL is:

http://{server}[:port]/[Context/]org.apache.catalina.servlets.DefaultServlet
/[context_relative_path/]file_name.jsp

More information can be found at:

http://online.securityfocus.com/archive/1/292936/2002-09-22/2002-09-28/0


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-www/tomcat-4.04 and earlier update their systems
as follows:

emerge rsync
emerge tomcat
emerge clean

--------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9kaeBfT7nyhUpoZMRAsJTAKCqg0U1g66H0La0/V6plwi+wOHcCACdEUum
VWwU9nlWMXrt1A4p52F30m8=
=xzdY
-----END PGP SIGNATURE-----

_______________________________________________
gentoo-announce mailing list
gentoo-announce@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-announce
_______________________________________________
gentoo-security mailing list
gentoo-security@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-security