THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
search
attachments
weblink
advanced
Overview
Content Tools
Apps
2007-10-19 Significant changes in this release include MEJB security, new default JNDI names for EJB's, Updated CA Helper application and numerous bud fixes. See the RELEASE-NOTES-2.0.2.TXT for further details. Visit the Downloads page for details on downloading Apache Geronimo v2.0.2.
The Apache Geronimo project is pleased to announce the new v2.0.2 release. This release represents the latest open source Java Enterprise Edition 5.0 application server from the Apache Geronimo project, and continues the evolution of the Apache Geronimo server by adding new features and capabilities to a fully compliant and certified Java Enterprise Edition 5.0 container suitable for everything from a development environment to enterprise-level deployments.
2007-10-18 We have learned of a security vulnerability in the Apache Tomcat Webdav Servlet implementation. If you use the Tomcat distribution of Geronimo and configure a write-enabled Webdav servlet, you may be affected by this vulnerability. If you do not configure the Webdav servlet or configure read-only Webdav servlets, you are not impacted by this vulnerability. Jetty configurations of Geronimo are not affected by this vulnerability. This vulnerability impacts all Geronimo releases. Up to and including Geronimo 2.0.2. Read the full article for further details and workaround.
For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
By default, Geronimo releases do not use the Webdav servlet. However, it is possible for the Webdav Servlet to be configured or referenced by a user-written application.
The Webdav Servlet could be explicitly configured in a web.xml deployment descriptor as follows:
...
<servlet>
<servlet-name>webdav</servlet-name>
<servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
Alternatively, a user's application could extend the WebdavServlet, for example:
import org.apache.catalina.servlets.WebdavServlet;
public class MyServlet extends WebdavServlet {
...
If you configure a write-enabled Webdav servlet, we recommend that you:
- Disable write access to the Webdav Servlet until this problem has been fixed, or
- Limit access to the Webdav servlet to only trusted users.
This vulnerability will be fixed in the next release of Geronimo (2.0.3 and/or 2.1).
November 26-30, 2007 - - OS Summit Asia 2007, Hong Kong
Monday Nov 26 14:30 Securing Java EE Applications in Apache Geronimo by Vamsavardhana Reddy.
Monday Nov 26 10:00 Java EE 5 App Development on Geronimo simplified using Eclipse & WTP by Shiva Kumar.
Check OS Summit Asia 2007 for calendar updates.
November 6-8, 2007 - - EclipseWorld 2007, Reston, VA
Thursday, Nov. 8, 08:30 am 503 Introduction to Developing, Debugging and Profiling Java EE Applications by Tim McConnell
Thursday, Nov. 8, 10:00 am 603 Advanced Developing, Debugging and Profiling Java EE Applications by Tim McConnell
Visit EclipseWorld 2007 for more information