Bug#465645: marked as done (tomcat5.5: CVE-2007-5333 unauthorized disclosure of information)

Sat, 19 Apr 2008 15:09:41 -0700 

Your message dated Sat, 19 Apr 2008 21:47:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#465645: fixed in tomcat5.5 5.5.26-1
has caused the Debian Bug report #465645,
regarding tomcat5.5: CVE-2007-5333 unauthorized disclosure of information
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
465645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465645
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: tomcat5.5
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tomcat5.5.

CVE-2007-5333[0]:
| Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0
| through 4.1.36 does not properly handle (1) double quote (")
| characters or (2) %5C (encoded backslash) sequences in a cookie value,
| which might cause sensitive information such as session IDs to be
| leaked to remote attackers and enable session hijacking attacks.  NOTE:
| this issue exists because of an incomplete fix for CVE-2007-3385.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpAEK50fN5fX.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: tomcat5.5
Source-Version: 5.5.26-1

We believe that the bug you reported is fixed in the latest version of
tomcat5.5, which is due to be installed in the Debian FTP archive:

libtomcat5.5-java_5.5.26-1_all.deb
  to pool/main/t/tomcat5.5/libtomcat5.5-java_5.5.26-1_all.deb
tomcat5.5-admin_5.5.26-1_all.deb
  to pool/main/t/tomcat5.5/tomcat5.5-admin_5.5.26-1_all.deb
tomcat5.5-webapps_5.5.26-1_all.deb
  to pool/main/t/tomcat5.5/tomcat5.5-webapps_5.5.26-1_all.deb
tomcat5.5_5.5.26-1.diff.gz
  to pool/main/t/tomcat5.5/tomcat5.5_5.5.26-1.diff.gz
tomcat5.5_5.5.26-1.dsc
  to pool/main/t/tomcat5.5/tomcat5.5_5.5.26-1.dsc
tomcat5.5_5.5.26-1_all.deb
  to pool/main/t/tomcat5.5/tomcat5.5_5.5.26-1_all.deb
tomcat5.5_5.5.26.orig.tar.gz
  to pool/main/t/tomcat5.5/tomcat5.5_5.5.26.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Koch <[EMAIL PROTECTED]> (supplier of updated tomcat5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 Apr 2008 23:18:30 +0200
Source: tomcat5.5
Binary: tomcat5.5 libtomcat5.5-java tomcat5.5-webapps tomcat5.5-admin
Architecture: source all
Version: 5.5.26-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <[EMAIL PROTECTED]>
Changed-By: Michael Koch <[EMAIL PROTECTED]>
Description: 
 libtomcat5.5-java - Java Servlet engine -- core libraries
 tomcat5.5  - Servlet and JSP engine
 tomcat5.5-admin - Java Servlet engine -- admin & manager web interfaces
 tomcat5.5-webapps - Java Servlet engine -- documentation and example web 
applications
Closes: 418826 458977 460839 465645 472899
Changes: 
 tomcat5.5 (5.5.26-1) unstable; urgency=low
 .
   [ Michael Koch ]
   * New upstream release.
     - CVE-2007-5333: unauthorized disclosure of information. Closes: #465645
     - CVS-2007-6286: handling of empty requests.
   * debian/rules: Don't file when files to delete don't exist.
     Closes: #458977
   * debian/tomcat5.5.init: Change directory to $CATALINA_BASE/temp before
     starting the daemon. Patch by David Pashley. Closes: #418826
   * debian/tomcat5.5.init: Use 'printf' instead of 'echo -e'.
     Closes: #472899
 .
   [ Marcus Better ]
   * debian/policy/04webapps.policy: Grant read permission to JULI for the
     (non-existing) logging.properties file in the example webapps. Closes:
     #460839.
Checksums-Sha1: 
 a31f3d01e12fd245a1f24abf9e7ef899e4429957 1739 tomcat5.5_5.5.26-1.dsc
 1eb1c479023d3a7e459ce03860d9d984b673ab27 5062991 tomcat5.5_5.5.26.orig.tar.gz
 b64d8371e6695bd2745db3b3f65b8192c1bc3b1a 29833 tomcat5.5_5.5.26-1.diff.gz
 8893ace30f6a97cedc6570faa8f06c231d53af6b 62614 tomcat5.5_5.5.26-1_all.deb
 cd6881bda202941ab380107195ff19e68ca243e4 2487026 
libtomcat5.5-java_5.5.26-1_all.deb
 4d6cd78d76d324bb2983f2ba395b88d04c2bcb8a 1491106 
tomcat5.5-webapps_5.5.26-1_all.deb
 e35d758a49fea6ea6947cf10d57e8913928861e6 1142846 
tomcat5.5-admin_5.5.26-1_all.deb
Checksums-Sha256: 
 de12d01e2f33e2c8b7152ff580792fbcbca3b3141a39338b6eb9a4ed115da37b 1739 
tomcat5.5_5.5.26-1.dsc
 ddc677d7391c438e6102d0b3e9653eaca661344ef74b0260c1f488340d660395 5062991 
tomcat5.5_5.5.26.orig.tar.gz
 439cb654b5f5729dbc791812b717f0ea86ca271f907dec3f6ce4ea27c5fdca3f 29833 
tomcat5.5_5.5.26-1.diff.gz
 3c39c32cc35409a23717b89ec62c874898730daa0ddfa085c3e41b9195a7fc9e 62614 
tomcat5.5_5.5.26-1_all.deb
 ad10367ef44053c78408a2d48a2a643dce429aa4e5d680a51650f29de0bff944 2487026 
libtomcat5.5-java_5.5.26-1_all.deb
 a02e571764d4eec99f8feaec40ce4467b3b99acb1d8a9218b26b1a39b040ee26 1491106 
tomcat5.5-webapps_5.5.26-1_all.deb
 204721c3764c77e3a81d1361c35fa5004482af026843e7fdaaff4aa5d9252549 1142846 
tomcat5.5-admin_5.5.26-1_all.deb
Files: 
 08f26ee3c17b94887015fef8feb29fc0 1739 web optional tomcat5.5_5.5.26-1.dsc
 642b6526354cb18c5b5d77ebef8109ae 5062991 web optional 
tomcat5.5_5.5.26.orig.tar.gz
 99586bbea9c184528408ba2649ab2fdf 29833 web optional tomcat5.5_5.5.26-1.diff.gz
 d92f506fdcb5ee1e1a3c222ae0cd8f72 62614 web optional tomcat5.5_5.5.26-1_all.deb
 d098841e963a77764ad31aa2b9f8e257 2487026 web optional 
libtomcat5.5-java_5.5.26-1_all.deb
 7207dce52c33b8f09bf80ff864d60a2c 1491106 web optional 
tomcat5.5-webapps_5.5.26-1_all.deb
 ec9124b89c26eda31c61f421c9145cf3 1142846 web optional 
tomcat5.5-admin_5.5.26-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICmMmWSOgCCdjSDsRAqgZAJoDcxRqcQ5qU/KXaqzq2wCSMdvVxwCeO7fS
Z71F2SslvgfJuzT4+0O/IgU=
=eHya
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to