This is not a security bug (it is a bug, just not a security one..). The
directory list can be aquired with the ";" only if directory listing is allowed.
If directory listing is disabled, tomcat will show a 404 page if a ";" is in
there. Based on what I am seeing, it seems that everything after the ";" gets
cut off, and tomcat only considers the initial part. e.g.

Listing allowed:
http://site.org/ will display contents
http://site.org/;test will display contents

Listing disabled:
http://site.org/ will display 404
http://site.org/;test will display 404

Listing enabled/disabled, but index.[jsp|html|etc.] is in root
http://site.org/ will display the index
http://site.org/;test will display the index

Thus, there is no scenario where a ";" lists directory contents, but directory
contents cannnot otherwise be fetched.

Instructions to disable listing are here:
http://tomcat.apache.org/faq/misc.html#listing

Some additional details:

This is a bug (that everything after ";" gets discarded by tomcat), but not a
security issue.

The ";" basically does not allow a user (visiting the site) to do anything they
otherwise cannot do. The crux of the argument on why this was a security issue
is that if someone put a ";" in the path, they got the directory listed.
However, if they had simply put the directory name in the URL, they could've
gotten the directory listed then too. If directory listing is disabled on the
other hand, then there is no way for any user to get the directory list, not
even with a ";"

I tested on tomcat 5.0.28 and tomcat 5.5.12. In both cases, once I disabled
directory listing, I was unable to get the directory contents even with a ";" in
there.

Details on how to disable directory listing are here:
http://tomcat.apache.org/faq/misc.html#listing