Your message dated Fri, 04 Jan 2008 07:52:23 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#458237: fixed in tomcat5.5 5.5.20-2etch1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: tomcat5.5
Version: 5.5.20-2
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tomcat5.5.
CVE-2007-5342[0]:
| The default catalina.policy in the JULI logging component in Apache
| Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict
| certain permissions for web applications, which allows attackers to
| modify logging configuration options and overwrite arbitrary files, as
| demonstrated by changing the (1) level, (2) directory, and (3) prefix
| attributes in the org.apache.juli.FileHandler handler.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
A patch can be found on:
http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?r1=593649&r2=606594&pathrev=606594&view=patch
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp3jgjQxZWGs.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: tomcat5.5
Source-Version: 5.5.20-2etch1
We believe that the bug you reported is fixed in the latest version of
tomcat5.5, which is due to be installed in the Debian FTP archive:
libtomcat5.5-java_5.5.20-2etch1_all.deb
to pool/main/t/tomcat5.5/libtomcat5.5-java_5.5.20-2etch1_all.deb
tomcat5.5-admin_5.5.20-2etch1_all.deb
to pool/main/t/tomcat5.5/tomcat5.5-admin_5.5.20-2etch1_all.deb
tomcat5.5-webapps_5.5.20-2etch1_all.deb
to pool/main/t/tomcat5.5/tomcat5.5-webapps_5.5.20-2etch1_all.deb
tomcat5.5_5.5.20-2etch1.diff.gz
to pool/main/t/tomcat5.5/tomcat5.5_5.5.20-2etch1.diff.gz
tomcat5.5_5.5.20-2etch1.dsc
to pool/main/t/tomcat5.5/tomcat5.5_5.5.20-2etch1.dsc
tomcat5.5_5.5.20-2etch1_all.deb
to pool/main/t/tomcat5.5/tomcat5.5_5.5.20-2etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Koch <[EMAIL PROTECTED]> (supplier of updated tomcat5.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 03 Jan 2008 11:10:07 +0100
Source: tomcat5.5
Binary: libtomcat5.5-java tomcat5.5 tomcat5.5-admin tomcat5.5-webapps
Architecture: source all
Version: 5.5.20-2etch1
Distribution: stable-security
Urgency: high
Maintainer: Debian Java Maintainers <[EMAIL PROTECTED]>
Changed-By: Michael Koch <[EMAIL PROTECTED]>
Description:
libtomcat5.5-java - Java Servlet engine -- core libraries
tomcat5.5 - Java Servlet 2.4 engine with JSP 2.0 support
tomcat5.5-admin - Java Servlet engine -- admin & manager web interfaces
tomcat5.5-webapps - Java Servlet engine -- documentation and example web
applications
Closes: 448664 458237
Changes:
tomcat5.5 (5.5.20-2etch1) stable-security; urgency=high
.
* CVE-2007-3382: Fix handling of handling '"' in cookies.
* CVE-2007-3385: Fix handling of \'' sequence in cookies.
* CVE-2007-3386: Fix HTML injection problem.
* CVE-2007-5342: Fix unauthorized modification of data because of
too open permissions. Closes: #458237.
* CVE-2007-5461: Fix absolute path traversal vulnerability.
Closes: #448664.
Files:
c2193e917dd759a50b8481177bfcef39 1277 web optional tomcat5.5_5.5.20-2etch1.dsc
5775bae8fac16a0e3a2c913c4768bb37 4796377 web optional
tomcat5.5_5.5.20.orig.tar.gz
6df1691cbea55b10e2d2d865b4b2983a 28422 web optional
tomcat5.5_5.5.20-2etch1.diff.gz
a1de64bb115d03c4d33c28065e0c793a 56744 web optional
tomcat5.5_5.5.20-2etch1_all.deb
5f6482d73f7507b5f2f050ea825ee800 2385530 web optional
libtomcat5.5-java_5.5.20-2etch1_all.deb
4bc554684655794b1d82db2160d67bea 1472296 web optional
tomcat5.5-webapps_5.5.20-2etch1_all.deb
ab90aab000037913260361eec812c573 1162332 web optional
tomcat5.5-admin_5.5.20-2etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHfUuoXm3vHE4uyloRAifyAJ9LmLiFgKSgfYPNpWK9kcmn5jz/+ACcDTU9
/yvLXWxYVns8KlNH/9P+X4s=
=pfNb
-----END PGP SIGNATURE-----
--- End Message ---
