Subject: CVS commit: doc
To: None <source-changes@netbsd.org>
From: Jim Wise <jwise@netbsd.org>
List: source-changes
Date: 03/28/2001 05:50:41
Module Name:	doc
Committed By:	jwise
Date:		Wed Mar 28 02:50:40 UTC 2001

Modified Files:
	doc: pkg-CHANGES

Log Message:
Note update of jakarta-tomcat to version 3.2.1.

Changes in the package since version 3.1.1 (the last pkgsrc version):
=====================================================================

  * tomcat is now always installed under ${PREFIX}/tomcat.  Making
    ${TOMCAT_HOME} configurable added much complexity for not real
    gain.

    It had been my intention to aim for a hier(7) like install for
    tomcat with this version, but at this point there are way to many
    hard-coded relative paths (relative to tomcat.home) in tomcat,
    and in addition, all of the (quite good, really) documentation
    assumes the standard install paths.

    Note that the previous default value of ${TOMCAT_HOME} was
    ${PREFIX}/jakarta/tomcat.

  * an rc.subr compatible (but not requiring) startup script is now installed
    as ${PREFIX}/etc/rc.d/tomcat.

  * tomcat now neither overwrites existing config files on reinstall nor
    removes them on deinstall, as per the www/apache package (complete
    with .default files).

  * if Sun's JSSE (Java Secure Socket Extensions) is in ${CLASSPATH} when
    the pkg is built, tomcat will be built with support for SSL in the
    standalone server mode.  This soft dependency will be replaced by a
    hard dependency as soon as I get a chance to import a JSSE package
    (soon).

  * likewise, I will import an ap-jk package for the new apache connector
    (mod_jk) soon.  ap-jserv continues to be usable for this purpose.

Changes in tomcat itself since version 3.1.1:
=============================================

New in tomcat-3.2.1:
--------------------
Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2
(final) code base.  The following changes are included:

- Disallowed requesting JSP pages under the WEB-INF directory
  (/WEB-INF/dummy.jsp).  Previously, only requests for static files
  were being disallowed.

- The JDBCRealm request interceptor will now log the description of any
  JDBC exception that occurs, to aid in debugging.

SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1
(note that these fixes were also made to the tomcat-3.1 branch in tomcat 3.1.1)

Protection of Resources in /WEB-INF and /META-INF Directories

The servlet specification prohibits servlet containers from serving resources
in the /WEB-INF and /META-INF directories of a web application archive directly
to clients.  In Tomcat 3.2, this means that URLs like:

   http://localhost:8080/examples/WEB-INF/web.xml

will return an error message, rather than the contents of your deployment
descriptor.  However, there is a vulnerability in Tomcat 3.2 that exposes
this information if the client requests a URL like this instead:

       http://localhost:8080/examples//WEB-INF/web.xml

(note the double slash before "WEB-INF").  This vulnerability has been
corrected in Tomcat 3.2.1.

Show Source Vulnerability

The example application delivered with Tomcat 3.2 included a mechanism to
display the source code for the JSP page examples.  This mechanism could
be used to bypass the restrictions on displaying sensitive information in
the WEB-INF and META-INF directories.  This vulnerability has been removed.

New in tomcat-3.2:
------------------
Tomcat 3.2 is mainly a performance tune-up release, although a few new
features have been added.

- Support for mod_jk, which is a replacement to the elderly mod_jserv, has
  had several bugs fixed and has received much more testing.  It is now
  recommended that all users use mod_jk instead of mod_jserv.

- Support JAXP-based XML parser independence.

- New and often requested "how-to" documents covering the following topics:
     - Configuring workers.properties
     - IIS and Netscape configuration
     - Running tomcat inside an IIS or Netscape process
     - Running Tomcat as a Windows NT service
     - Configuring a JDBC realm
     - Configuring mod_jk

- First round of policy-based security support intended for running untrusted
  code inside of Tomcat.  Interested users should test this support and post
  feedback to the Tomcat users mailing list.

- SSL support for standalone Tomcat. (Preliminary support first appeared in
  3.1, but the support in 3.2 has received more testing and documentation
  support).

- Thread reuse is now enabled by default. The thread pool support code was part
  of 3.1, but not enabled since it was new.

- Support for plug-able session managers.  Unfortunately, no how-to documents
  that support this functionality exist (yet). For the adventurous, be aware
  that the interface that allows administrators to plug session managers is
  the normal Interceptor interface.

- An almost total rewrite of the HTTP request handling now results in improved
  performance when running Tomcat stand-alone.

- Significantly reduced garbage collection.

- The code underwent a refactoring effort resulting in improved readability.

- And of course, hundreds of miscellaneous improvements and fixes.


To generate a diff of this commit:
cvs rdiff -r1.3926 -r1.3927 doc/pkg-CHANGES

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.