- 7 August 2007 - JK-1.2.25 released
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat Connectors 1.2.25 Stable.
Download the JK 1.2.25 release sources
| PGP signature
Download the binaries for selected platforms.
- 27 July 2007 - JK-1.2.24 released
This release has been withdrawn.
- 18 May 2007 - JK-1.2.23 released
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat Connectors 1.2.23 Stable.
This version addresses the security flaw:
CVE-2007-1860
A double encoded ".." in a URL can be used to access URLs on the AJP backend,
for which no mod_jk forwarding rule exists (patch for CVE-2007-0450 was insufficient).
This version fixes the problem by using ForwardURICompatUnparsed
as the default for the forwarding JkOption.
You can similarly fix the problem for all previous versions of mod_jk by setting
"JkOption ForwardURICompatUnparsed".
If you upgrade to version 1.2.23 please ensure, that you do not have
a different forwarding option in your existing configuration.
We highly recommend, that you are consulting the
forwarding documentation,
especially concerning the implications for interaction with mod_rewrite.
Please note that this issue only affects configurations,
which use a prefix forwarding rule like "/myapp/*" or "/myapp/*.jsp"
to restrict access to the context "/myapp". The issue will allow
malicious URLs to reach "/otherapp" or "/otherapp/*.jsp" as well.
The Tomcat Project thanks Kazu Nambo for his responsible reporting of this
vulnerability.
Download the JK 1.2.23 release sources
| PGP signature
Download the binaries for selected platforms.
- 17 April 2007 - JK-1.2.22 released
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat Connectors 1.2.22 Stable.
Download the JK 1.2.22 release sources
| PGP signature
Download the binaries for selected platforms.
- 1 March 2007 - JK-1.2.21 released
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat Connectors 1.2.21 Stable.
This version addresses the security flaw:
CVE-2007-0774
A Long URL Stack Overflow Vulnerability exists in the URI handler for the mod_jk library.
When parsing a long URL request, the URI worker map routine performs an
unsafe memory copy. This results in a stack overflow condition which can
be leveraged execute arbitrary code.
Please note this issue only affected versions 1.2.19 and 1.2.20 of the
JK Apache Tomcat Connector and not previous versions.
Tomcat 5.5.20 and Tomcat 4.1.34
included a vulnerable version in their source packages.
No other source code releases and no binary packages
of Tomcat were affected.
The Apache Tomcat project recommends that all users who have built mod_jk from source apply the patch or upgrade to the latest level and rebuild. Providers of mod_jk-based modules in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of mod_jk, and mod_jk users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their module.
The Tomcat Project thanks an anonymous researcher working with
TippingPoint (www.tippingpoint.com) and the Zero Day Initiative
(www.zerodayintiative.com) for their responsible reporting of this
vulnerability.
Download the JK 1.2.21 release sources
| PGP signature
Download the binaries for selected platforms.
- 10 December 2006 - JK-1.2.20 released
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat Connectors 1.2.20 Stable.
Download the JK 1.2.20 release sources
| PGP signature
Download the binaries for selected platforms.
- 17 September 2006 - JK-1.2.19 released
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat Connectors 1.2.19 Stable.
Download the JK 1.2.19 release sources
| PGP signature
Download the binaries for selected platforms.