Debian Security Advisory DSA 169-1 (tomcat4)

Summary
The remote host is missing an update to tomcat4 announced via advisory DSA 169-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20169-1
Insight
A security vulnerability has been found in all Tomcat 4.x releases. This problem allows an attacker to use a specially crafted URL to return the unprocessed source code of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraints, without the need for being properly authenticated. This problem has been fixed in version 4.0.3-3woody1 for the current stable distribution (woody) and in version 4.1.12-1 for the unstable release (sid). The old stable release (potato) does not contain tomcat packages. Also, packages for tomcat3 are not vulnerable to this problem. We recommend that you upgrade your tomcat package immediately.