20070301.xml

rjung Sat, 19 May 2007 02:23:46 -0700

Author: rjung
Date: Sat May 19 02:23:24 2007
New Revision: 539721

URL: http://svn.apache.org/viewvc?view=rev&rev=539721
Log:
Backport JK 1.2.23 release documents to trunk.
(r539263)


Modified:
    tomcat/connectors/trunk/jk/xdocs/index.xml
    tomcat/connectors/trunk/jk/xdocs/news/20070301.xml

Modified: tomcat/connectors/trunk/jk/xdocs/index.xml
URL: 
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/index.xml?view=diff&rev=539721&r1=539720&r2=539721
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/index.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/index.xml Sat May 19 02:23:24 2007
@@ -29,6 +29,40 @@
 <section name="Headlines">
 <br />
 <ul>
+<li><a href="news/20070301.html#20070518.1">18 May 2007 - <b>JK-1.2.23 
released</b></a>
+<p>The Apache Tomcat team is proud to announce the immediate availability
+of Tomcat Connectors 1.2.23 Stable.
+</p>
+<p>This version addresses the security flaw:
+<br />
+<a 
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";><b>CVE-2007-1860</b></a>
+A double encoded ".." in a URL can be used to access URLs on the AJP backend,
+for which no mod_jk forwarding rule exists (patch for CVE-2007-0450 was 
insufficient).
+</p><p>
+This version fixes the problem by using ForwardURICompatUnparsed
+as the default for the forwarding JkOption.
+You can similarly fix the problem for all previous versions of mod_jk by 
setting
+"JkOption ForwardURICompatUnparsed".
+If you upgrade to version 1.2.23 please ensure, that you do not have
+a different forwarding option in your existing configuration.
+We highly recommend, that you are consulting the
+<a href="reference/apache.html#Forwarding">forwarding documentation</a>,
+especially concerning the implications for interaction with mod_rewrite.
+</p><p>
+Please note that this issue only affects configurations,
+which use a prefix forwarding rule like "/myapp/*" or "/myapp/*.jsp"
+to restrict access to the context "/myapp". The issue will allow 
+malicious URLs to reach "/otherapp" or "/otherapp/*.jsp" as well.
+</p><p>
+The Tomcat Project thanks Kazu Nambo for his responsible reporting of this 
+vulnerability.
+</p>
+<p>Download the <a 
href="http://www.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.23/tomcat-connectors-1.2.23-src.tar.gz";>JK
 1.2.23 release sources</a>
+ | <a 
href="http://www.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.23/tomcat-connectors-1.2.23-src.tar.gz.asc";>PGP
 signature</a>
+</p>
+<p>Download the <a 
href="http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/";>binaries</a>
 for selected platforms.
+</p>
+</li>
 <li><a href="news/20070301.html#20070417.1">17 April 2007 - <b>JK-1.2.22 
released</b></a>
 <p>The Apache Tomcat team is proud to announce the immediate availability
 of Tomcat Connectors 1.2.22 Stable.

Modified: tomcat/connectors/trunk/jk/xdocs/news/20070301.xml
URL: 
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/news/20070301.xml?view=diff&rev=539721&r1=539720&r2=539721
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/news/20070301.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/news/20070301.xml Sat May 19 02:23:24 2007
@@ -15,14 +15,14 @@
 
 <section name="2007 News &amp; Status">
 <br />
-<a name="20070301.1"> 
-<h3>1 March - JK-1.2.21 released</h3>
+<a name="20070518.1"> 
+<h3>18 May - JK-1.2.23 released</h3>
 </a>
 <p>The Apache Tomcat team is proud to announce the immediate availability
-of Tomcat Connectors 1.2.21. This is a stable release adding new features
-and a few bug fixes to version 1.2.20.
+of Tomcat Connectors 1.2.23. This is a stable release adding new features
+and a few bug fixes to version 1.2.23.
 </p><p>
-It fixes a <a href="../security-jk.html">Critical vulnerability</a> introduced 
in version 1.2.19
+It fixes an <a href="http://tomcat.apache.org/security-jk.html";>Important 
vulnerability</a>.
 </p><p>
  Please see the <a href="../miscellaneous/changelog.html">ChangeLog</a> for a 
full list of changes.
 </p>
@@ -37,6 +37,22 @@
 <p>The Apache Tomcat team is proud to announce the immediate availability
 of Tomcat Connectors 1.2.22. This is a stable release adding new features
 and a few bug fixes to version 1.2.22.
+</p><p>
+ Please see the <a href="../miscellaneous/changelog.html">ChangeLog</a> for a 
full list of changes.
+</p>
+<p>If you find any bugs while using this release, please fill in the
+<a 
href="http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%205";>Bugzilla</a>
+Bug Report. When entering bug select <b>Native:JK</b> Component.
+</p>
+<hr size="1" noshade="noshade" />
+<a name="20070301.1"> 
+<h3>1 March - JK-1.2.21 released</h3>
+</a>
+<p>The Apache Tomcat team is proud to announce the immediate availability
+of Tomcat Connectors 1.2.21. This is a stable release adding new features
+and a few bug fixes to version 1.2.20.
+</p><p>
+It fixes a <a href="http://tomcat.apache.org/security-jk.html";>Critical 
vulnerability</a> introduced in version 1.2.19
 </p><p>
  Please see the <a href="../miscellaneous/changelog.html">ChangeLog</a> for a 
full list of changes.
 </p>



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r539721 - in /tomcat/connectors/trunk/jk/xdocs: index.xml news/20070301.xml

Reply via email to