pkgsrc-changes: Re: CVS commit: pkgsrc

Subject: Re: CVS commit: pkgsrc
To: None <pkgsrc-changes@netbsd.org>
From: Jim Wise <jwise@draga.com>
List: pkgsrc-changes
Date: 03/26/2001 21:55:13
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One other quick change which I forgot to mention (mentioned in the
pkg-CHANGES commit):

  * tomcat now neither overwrites existing config files on reinstall nor
    removes them on deinstall, as per the www/apache package (complete
    with .default files).

On Wed, 28 Mar 2001, Jim Wise wrote:

>
>Module Name:	pkgsrc
>Committed By:	jwise
>Date:		Wed Mar 28 02:46:09 UTC 2001
>
>Modified Files:
>	pkgsrc/www/jakarta-tomcat: Makefile
>	pkgsrc/www/jakarta-tomcat/files: md5 patch-sum
>	pkgsrc/www/jakarta-tomcat/patches: patch-aa
>	pkgsrc/www/jakarta-tomcat/pkg: MESSAGE PLIST
>Added Files:
>	pkgsrc/www/jakarta-tomcat/files: tomcat.sh
>	pkgsrc/www/jakarta-tomcat/pkg: DEINSTALL INSTALL
>Removed Files:
>	pkgsrc/www/jakarta-tomcat/patches: patch-ab patch-ac
>
>Log Message:
>Update jakarta-tomcat to version 3.2.1.
>
>Changes in the package since version 3.1.1 (the last pkgsrc version):
>=====================================================================
>
>  * tomcat is now always installed under ${PREFIX}/tomcat.  Making
>    ${TOMCAT_HOME} configurable added much complexity for not real
>    gain.
>
>    It had been my intention to aim for a hier(7) like install for
>    tomcat with this version, but at this point there are way to many
>    hard-coded relative paths (relative to tomcat.home) in tomcat,
>    and in addition, all of the (quite good, really) documentation
>    assumes the standard install paths.
>
>    Note that the previous default value of ${TOMCAT_HOME} was
>    ${PREFIX}/jakarta/tomcat.
>
>  * an rc.subr compatible (but not requiring) startup script is now installed
>    as ${PREFIX}/etc/rc.d/tomcat.
>
>  * if Sun's JSSE (Java Secure Socket Extensions) is in ${CLASSPATH} when
>    the pkg is built, tomcat will be built with support for SSL in the
>    standalone server mode.  This soft dependency will be replaced by a
>    hard dependency as soon as I get a chance to import a JSSE package
>    (soon).
>
>  * likewise, I will import an ap-jk package for the new apache connector
>    (mod_jk) soon.  ap-jserv continues to be usable for this purpose.
>
>Changes in tomcat itself since version 3.1.1:
>=============================================
>
>New in tomcat-3.2.1:
>--------------------
>Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2
>(final) code base.  The following changes are included:
>
>- Disallowed requesting JSP pages under the WEB-INF directory
>  (/WEB-INF/dummy.jsp).  Previously, only requests for static files
>  were being disallowed.
>
>- The JDBCRealm request interceptor will now log the description of any
>  JDBC exception that occurs, to aid in debugging.
>
>SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1
>(note that these fixes were also made to the tomcat-3.1 branch in tomcat 3.1.1)
>
>Protection of Resources in /WEB-INF and /META-INF Directories
>
>The servlet specification prohibits servlet containers from serving resources
>in the /WEB-INF and /META-INF directories of a web application archive directly
>to clients.  In Tomcat 3.2, this means that URLs like:
>
>   http://localhost:8080/examples/WEB-INF/web.xml
>
>will return an error message, rather than the contents of your deployment
>descriptor.  However, there is a vulnerability in Tomcat 3.2 that exposes
>this information if the client requests a URL like this instead:
>
>       http://localhost:8080/examples//WEB-INF/web.xml
>
>(note the double slash before "WEB-INF").  This vulnerability has been
>corrected in Tomcat 3.2.1.
>
>Show Source Vulnerability
>
>The example application delivered with Tomcat 3.2 included a mechanism to
>display the source code for the JSP page examples.  This mechanism could
>be used to bypass the restrictions on displaying sensitive information in
>the WEB-INF and META-INF directories.  This vulnerability has been removed.
>
>New in tomcat-3.2:
>------------------
>Tomcat 3.2 is mainly a performance tune-up release, although a few new
>features have been added.
>
>- Support for mod_jk, which is a replacement to the elderly mod_jserv, has
>  had several bugs fixed and has received much more testing.  It is now
>  recommended that all users use mod_jk instead of mod_jserv.
>
>- Support JAXP-based XML parser independence.
>
>- New and often requested "how-to" documents covering the following topics:
>     - Configuring workers.properties
>     - IIS and Netscape configuration
>     - Running tomcat inside an IIS or Netscape process
>     - Running Tomcat as a Windows NT service
>     - Configuring a JDBC realm
>     - Configuring mod_jk
>
>- First round of policy-based security support intended for running untrusted
>  code inside of Tomcat.  Interested users should test this support and post
>  feedback to the Tomcat users mailing list.
>
>- SSL support for standalone Tomcat. (Preliminary support first appeared in
>  3.1, but the support in 3.2 has received more testing and documentation
>  support).
>
>- Thread reuse is now enabled by default. The thread pool support code was part
>  of 3.1, but not enabled since it was new.
>
>- Support for plug-able session managers.  Unfortunately, no how-to documents
>  that support this functionality exist (yet). For the adventurous, be aware
>  that the interface that allows administrators to plug session managers is
>  the normal Interceptor interface.
>
>- An almost total rewrite of the HTTP request handling now results in improved
>  performance when running Tomcat stand-alone.
>
>- Significantly reduced garbage collection.
>
>- The code underwent a refactoring effort resulting in improved readability.
>
>- And of course, hundreds of miscellaneous improvements and fixes.
>
>
>To generate a diff of this commit:
>cvs rdiff -r1.14 -r1.15 pkgsrc/www/jakarta-tomcat/Makefile
>cvs rdiff -r1.4 -r1.5 pkgsrc/www/jakarta-tomcat/files/md5
>cvs rdiff -r1.5 -r1.6 pkgsrc/www/jakarta-tomcat/files/patch-sum
>cvs rdiff -r0 -r1.1 pkgsrc/www/jakarta-tomcat/files/tomcat.sh
>cvs rdiff -r1.4 -r1.5 pkgsrc/www/jakarta-tomcat/patches/patch-aa
>cvs rdiff -r1.5 -r0 pkgsrc/www/jakarta-tomcat/patches/patch-ab
>cvs rdiff -r1.2 -r0 pkgsrc/www/jakarta-tomcat/patches/patch-ac
>cvs rdiff -r0 -r1.1 pkgsrc/www/jakarta-tomcat/pkg/DEINSTALL \
>    pkgsrc/www/jakarta-tomcat/pkg/INSTALL
>cvs rdiff -r1.5 -r1.6 pkgsrc/www/jakarta-tomcat/pkg/MESSAGE
>cvs rdiff -r1.6 -r1.7 pkgsrc/www/jakarta-tomcat/pkg/PLIST
>
>Please note that diffs are not public domain; they are subject to the
>copyright notices on the relevant files.
>

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6wAEW2JhG4/qi8rQRAmRwAJ9moEjZyn4eVcRgLydAg0YfI7hmrwCfVezN
jIilo16Y6R/lkaIATMt9Ejw=
=UxIx
-----END PGP SIGNATURE-----