Your message dated Wed, 13 Feb 2008 21:38:51 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#465644: tomcat5.5: CVE-2007-5342 unauthorized
modification of information
has caused the Debian Bug report #465644,
regarding tomcat5.5: CVE-2007-5342 unauthorized modification of information
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
465644: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465644
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: tomcat5.5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tomcat5.5.
CVE-2007-6286[0]:
| Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the
| native APR connector is used, does not properly handle an empty
| request to the SSL port, which allows remote attackers to trigger
| handling of "a duplicate copy of one of the recent requests," as
| demonstrated by using netcat to send the empty request.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpnWYxBI5eI1.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 5.5.25-4
On Wed, Feb 13, 2008 at 06:15:03PM +0100, Nico Golde wrote:
> Package: tomcat5.5
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tomcat5.5.
>
> CVE-2007-6286[0]:
> | Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the
> | native APR connector is used, does not properly handle an empty
> | request to the SSL port, which allows remote attackers to trigger
> | handling of "a duplicate copy of one of the recent requests," as
> | demonstrated by using netcat to send the empty request.
>
> If you fix this vulnerability please also include the CVE id
> in your changelog entry.
>
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
This was fixed in 5.5.25-4 already.
Cheers,
Michael
--- End Message ---
