Your message dated Fri, 14 Nov 2008 18:56:44 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: tomcat6: Several security issues in Tomcat
has caused the Debian Bug report #503309,
regarding tomcat6: Several security issues in Tomcat
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
503309: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503309
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
Several vulnerabilities have been fixed in Apache Tomcat 6.0.18, see
below.
BTW, do we really need two Tomcat versions in Lenny? Is Tomcat 6
incompatible with 5.5?
Cheers,
Moritz
low: Cross-site scripting CVE-2008-1232
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for
+the reason-phrase of HTTP response. This may include characters that are
illegal in HTTP headers. It is possible for a
+specially crafted message to result in arbitrary content being injected into
the HTTP response. For a successful XSS attack,
+unfiltered user supplied data must be included in the message argument.
This was fixed in revision 673834.
Affects: 6.0.0-6.0.16
low: Cross-site scripting CVE-2008-1947
The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS
+attack. This application now filters the data before use. This issue may be
mitigated by logging out (closing the browser) of
+the application once the management tasks have been completed.
This was fixed in revision 662585.
Affects: 6.0.0-6.0.16
important: Information disclosure CVE-2008-2370
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a+specially crafted request
parameter could be used to access content that would otherwise be protected by
a security constraint
+or by locating it in under the WEB-INF directory.
This was fixed in revision 673839.
Affects: 6.0.0-6.0.16
important: Directory traversal CVE-2008-2938
If a context is configured with allowLinking="true" and the connector is
configured with URIEncoding="UTF-8" then a
+malformed request may be used to access arbitrary files on the server. If the
connector is configured with URIEncoding="UTF-8"
+then a malformed request may be used to access arbitrary files within the
docBase of a context such as web.xml. It should also
+be noted that setting useBodyEncodingForURI="true" has the same effect as
setting URIEncoding="UTF-8" when processing requests
+with bodies encoded with UTF-8.
This was fixed in revision 678137.
Affects: 6.0.0-6.0.16
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
On Sat, Nov 08, 2008 at 07:09:14PM +0000, Dominic Hargreaves wrote:
> On Fri, Oct 24, 2008 at 05:41:39PM +0200, Moritz Muehlenhoff wrote:
> > Several vulnerabilities have been fixed in Apache Tomcat 6.0.18, see
> > below.
> >
> > BTW, do we really need two Tomcat versions in Lenny? Is Tomcat 6
> > incompatible with 5.5?
>
> It doesn't look like the tomcat6 source package actually supplies the
> main tomcat6 server as binary packages (see
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413906 for details).
>
> I believe that this means that theses issues are not present in Debian,
> and that the severity of this bug should therefore be lowered. Java
> maintainers, do you agree, and if so could you lower this from RC
> severity?
You're correct, this was an error on my side. I've double-checked the
upstream commits and this bug can be closed.
Cheers,
Moritz
--- End Message ---
