Your message dated Sat, 29 Dec 2007 20:32:22 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#458237: fixed in tomcat5.5 5.5.25-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: tomcat5.5
Version: 5.5.20-2
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tomcat5.5.
CVE-2007-5342[0]:
| The default catalina.policy in the JULI logging component in Apache
| Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict
| certain permissions for web applications, which allows attackers to
| modify logging configuration options and overwrite arbitrary files, as
| demonstrated by changing the (1) level, (2) directory, and (3) prefix
| attributes in the org.apache.juli.FileHandler handler.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
A patch can be found on:
http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?r1=593649&r2=606594&pathrev=606594&view=patch
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpbRpXCzA7R2.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: tomcat5.5
Source-Version: 5.5.25-4
We believe that the bug you reported is fixed in the latest version of
tomcat5.5, which is due to be installed in the Debian FTP archive:
libtomcat5.5-java_5.5.25-4_all.deb
to pool/main/t/tomcat5.5/libtomcat5.5-java_5.5.25-4_all.deb
tomcat5.5-admin_5.5.25-4_all.deb
to pool/main/t/tomcat5.5/tomcat5.5-admin_5.5.25-4_all.deb
tomcat5.5-webapps_5.5.25-4_all.deb
to pool/main/t/tomcat5.5/tomcat5.5-webapps_5.5.25-4_all.deb
tomcat5.5_5.5.25-4.diff.gz
to pool/main/t/tomcat5.5/tomcat5.5_5.5.25-4.diff.gz
tomcat5.5_5.5.25-4.dsc
to pool/main/t/tomcat5.5/tomcat5.5_5.5.25-4.dsc
tomcat5.5_5.5.25-4_all.deb
to pool/main/t/tomcat5.5/tomcat5.5_5.5.25-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Koch <[EMAIL PROTECTED]> (supplier of updated tomcat5.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Dec 2007 20:15:40 +0100
Source: tomcat5.5
Binary: libtomcat5.5-java tomcat5.5 tomcat5.5-admin tomcat5.5-webapps
Architecture: source all
Version: 5.5.25-4
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <[EMAIL PROTECTED]>
Changed-By: Michael Koch <[EMAIL PROTECTED]>
Description:
libtomcat5.5-java - Java Servlet engine -- core libraries
tomcat5.5 - Servlet and JSP engine
tomcat5.5-admin - Java Servlet engine -- admin & manager web interfaces
tomcat5.5-webapps - Java Servlet engine -- documentation and example web
applications
Closes: 456608 458237
Changes:
tomcat5.5 (5.5.25-4) unstable; urgency=high
.
* CVE-2007-5342: Fix unauthorized modification of data because of
too open permissions. Closes: #458237.
* Always clean temporary directory on startup. Closes: #456608.
Files:
85cd954622e0b4832ae017fd4d8d1150 1347 web optional tomcat5.5_5.5.25-4.dsc
3791ec9c54d080a0a4d5076756f35abb 31901 web optional tomcat5.5_5.5.25-4.diff.gz
9f6e3d9f70aeabeb37da6c68bb4aad01 61314 web optional tomcat5.5_5.5.25-4_all.deb
dd51f3475318c320bc787cfe0f2ffa26 2420742 web optional
libtomcat5.5-java_5.5.25-4_all.deb
8ba361ac714ee9bd241e8ad152d33dd6 1486540 web optional
tomcat5.5-webapps_5.5.25-4_all.deb
22dee5cc4d1ed6446e04c82b8f8572c9 1135776 web optional
tomcat5.5-admin_5.5.25-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHdqbtWSOgCCdjSDsRAtjoAKCYqGTO/6BcaQdmK/ilcCKinMGcnQCeP61P
YPPiXdTKunyjW1osgUud9t0=
=F/06
-----END PGP SIGNATURE-----
--- End Message ---
