Your message dated Tue, 18 Dec 2012 20:03:37 +0100
with message-id
<cadk7b0pppkkkd8rrgp9efsbconf481ehpam3whtu3qnzdhl...@mail.gmail.com>
and subject line Package removed
has caused the Debian Bug report #532366,
regarding CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache
Tomcat 5 Multiple Vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
532366: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532366
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat5
Version: 5.0.30-12etch1
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for tomcat5.
CVE-2009-0033[0]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when the Java AJP connector and mod_jk load balancing
| are used, allows remote attackers to cause a denial of service
| (application outage) via a crafted request with invalid headers,
| related to temporary blocking of connectors that have encountered
| errors, as demonstrated by an error involving a malformed HTTP Host
| header.
CVE-2009-0580[1]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when FORM authentication is used, allows remote
| attackers to enumerate valid usernames via requests to
| /j_security_check with malformed URL encoding of passwords, related to
| improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
| and (3) JDBCRealm authentication realms, as demonstrated by a %
| (percent) value for the j_password parameter.
CVE-2009-0783[2]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18 permits web applications to replace an XML parser used
| for other web applications, which allows local users to read or modify
| the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
| applications via a crafted application that is loaded earlier than the
| target application.
CVE-2009-0781[3]:
| Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the
| calendar application in the examples web application in Apache Tomcat
| 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18
| allows remote attackers to inject arbitrary web script or HTML via the
| time parameter, related to "invalid HTML."
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://security-tracker.debian.net/tracker/CVE-2009-0033
Patch: http://svn.apache.org/viewvc?rev=742915&view=rev
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://security-tracker.debian.net/tracker/CVE-2009-0580
Patch: http://svn.apache.org/viewvc?rev=747840&view=rev
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://security-tracker.debian.net/tracker/CVE-2009-0783
Patch: http://svn.apache.org/viewvc?rev=652592&view=rev
http://svn.apache.org/viewvc?rev=739522&view=rev
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://security-tracker.debian.net/tracker/CVE-2009-0781
Patch: http://svn.apache.org/viewvc?rev=750924&view=rev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkotdlIACgkQNxpp46476arHcgCeILT38XMFImu8JUg4AoWgfwCJ
Xm4AoILxBkpWM3ElwWUyK73qupIPp2UU
=CgXU
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Version: 5.5.26-5+rm
Dear submitter,
as this package has been removed from the Debian archive unstable
we hereby close the associated bug reports. We are sorry that we
couldn't deal with your issue properly.
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
--- End Message ---
