![[ICO]](/icons/blank.gif){kind=icon}
![[DIR]](/icons/back.gif){kind=icon}
![[ ]](/icons/unknown.gif){kind=icon}
![[TXT]](/icons/text.gif){kind=icon}
![[ ]](/icons/compressed.gif){kind=icon}
![[DIR]](/icons/folder.gif){kind=icon}
| Name | Last modified | Size | Description |
|---|---|---|---|---|
| Parent Directory | - | ||
| facade22.jar | 06-Sep-2003 20:33 | 65K | |
| facade22.jar.asc | 06-Sep-2003 20:33 | 477 | |
| jakarta-servletapi.t..> | 06-Sep-2003 20:33 | 225K | |
| jakarta-servletapi.t..> | 06-Sep-2003 20:33 | 477 | |
| jakarta-servletapi.zip | 06-Sep-2003 20:33 | 427K | |
| jakarta-servletapi.z..> | 06-Sep-2003 20:33 | 477 | |
| jakarta-tomcat-3.3.1..> | 06-Sep-2003 20:33 | 4.6M | |
| jakarta-tomcat-3.3.1..> | 06-Sep-2003 20:33 | 477 | |
| jakarta-tomcat-3.3.1..> | 06-Sep-2003 20:33 | 4.7M | |
| jakarta-tomcat-3.3.1..> | 06-Sep-2003 20:33 | 477 | |
| linux/ | 06-Sep-2003 20:33 | - | |
| netware/ | 06-Sep-2003 20:33 | - | |
| tomcat.jar | 06-Sep-2003 20:33 | 39K | |
| tomcat.jar.asc | 06-Sep-2003 20:33 | 477 | |
| tomcat_modules.jar | 06-Sep-2003 20:33 | 213K | |
| tomcat_modules.jar.asc | 06-Sep-2003 20:33 | 477 | |
| tomcat_util.jar | 06-Sep-2003 20:33 | 186K | |
| tomcat_util.jar.asc | 06-Sep-2003 20:33 | 477 | |
| win32/ | 06-Sep-2003 20:33 | - | |
This directory contains the binary distributions for Tomcat 3.3.1a, which is a patched release of Tomcat 3.3.1 Final.
Tomcat 3.3.1a is a security release that fixes the following vulnerabilities:
Vulnerability where, when used with JDK 1.3.1 or earlier, a maliciously crafted request could return a directory listing even when an index.html, index.jsp, or other welcome file is present. File contents can be returned as well. If you are using Tomcat 3.3.1 or earlier with JDK 1.3.1 or earlier, you should either upgrade to JDK 1.4 or later, or upgrade your Tomcat installation to Tomcat 3.3.1a
This vulerablility may be fixed using a new Tomcat 3.3.1a installation or by upgrading an existing Tomcat 3.3.1 installation by replacing the following jar with the one in this directory:
| Replacement Jar | Location (relative to $TOMCAT_HOME) |
|---|---|
| tomcat_modules.jar | lib/container |
Vulnerability where a malicious web application could read the contents of some files outside the web application via its web.xml file in spite of the presence of a security manager. The content of files that can be read as part of an XML document would be accessible. If you are running Tomcat 3.3.1 or earlier with a security manager, and are serving web applications whose web.xml content is not known to be safe, you should upgrade your Tomcat installation to 3.3.1a.
This vulerablility may be fixed using a new Tomcat 3.3.1a installation or by upgrading an existing Tomcat 3.3.1 installation by replacing the following jars with the ones in this directory:
| Replacement Jar | Location (relative to $TOMCAT_HOME) |
|---|---|
| tomcat.jar | lib |
| facade22.jar | lib/container |
| tomcat_util.jar | lib/container |
Note: Only classes that required modification have be updated. Thus, the string that identifies the Tomcat version has not been updated. It will still indicate Tomcat 3.3.1 Final.
To address this security issue, administrators of public servers which have deployed any Apache Tomcat 3 version should make sure the 'examples' webapp is removed from the deployed Tomcat installation. Also, SnoopServlet.class should be removed from the 'ROOT' web application if still present in the installation.
These vulnerabilities will be removed from Tomcat 3.3.2 prior to release.
Background information on cross site scripting: This allows a mailicious
website to execute JavaScript code using the security policy of a trusted
domain.
More information:
http://httpd.apache.org/info/css-security/
Note: Due to an oversight, the bin\tomcat.bat file still
has Tomcat 3.3 as the title when starting Tomcat in a new window, rather than
Tomcat 3.3.1a. For WinNT, Win2k, or WinXP systems which display this title,
you may wish to manually make this change to avoid confusion.
Other portions of the release include:
Additional support:
Note: The binary release of the jakarta-servletapi is included here for completeness. It is not required to use the binary release of Tomcat 3.3.1.
Documentation of what is different between Tomcat 3.3(a) and Tomcat 3.3.1a may be found here.
You may find online documentation for Tomcat 3.3.1 here.
Note: The tar files in this distribution use GNU tar extensions, and must be untarred with a GNU compatible version of tar. The version of tar on Solaris and Mac OS X will not work with these files.