Debian Bug report logs -
#532362
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 6 Multiple Vulnerabilities
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Mon, 8 Jun 2009 20:36:01 UTC
Severity: serious
Tags: patch, security
Found in version tomcat6/6.0.18-1
Fixed in version tomcat6/6.0.20-1
Done: Torsten Werner <twerner@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#532362; Package tomcat6.
(Mon, 08 Jun 2009 20:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
Your message had a Version: pseudo-header with an invalid package
version:
6.0.16-1 6.0.18-dfsg1-1
please either use found or fixed to the control server with a correct
version, or reply to this report indicating the correct version so the
maintainer (or someone else) can correct it for you.
(Mon, 08 Jun 2009 20:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tomcat6
Version: 6.0.16-1 6.0.18-dfsg1-1
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for tomcat6.
CVE-2009-0033[0]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when the Java AJP connector and mod_jk load balancing
| are used, allows remote attackers to cause a denial of service
| (application outage) via a crafted request with invalid headers,
| related to temporary blocking of connectors that have encountered
| errors, as demonstrated by an error involving a malformed HTTP Host
| header.
CVE-2009-0580[1]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when FORM authentication is used, allows remote
| attackers to enumerate valid usernames via requests to
| /j_security_check with malformed URL encoding of passwords, related to
| improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
| and (3) JDBCRealm authentication realms, as demonstrated by a %
| (percent) value for the j_password parameter.
CVE-2009-0783[2]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18 permits web applications to replace an XML parser used
| for other web applications, which allows local users to read or modify
| the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
| applications via a crafted application that is loaded earlier than the
| target application.
CVE-2009-0781[3]:
| Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the
| calendar application in the examples web application in Apache Tomcat
| 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18
| allows remote attackers to inject arbitrary web script or HTML via the
| time parameter, related to "invalid HTML."
These are already fixed in debian unstable (6.0.20-1).
Please coordinate with the security team (team@security.debian.org) to
prepare packages for the stable releases.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://security-tracker.debian.net/tracker/CVE-2009-0033
Patch: http://svn.apache.org/viewvc?rev=742915&view=rev
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://security-tracker.debian.net/tracker/CVE-2009-0580
Patch: http://svn.apache.org/viewvc?rev=747840&view=rev
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://security-tracker.debian.net/tracker/CVE-2009-0783
Patch: http://svn.apache.org/viewvc?rev=652592&view=rev http://svn.apache.org/viewvc?rev=739522&view=rev
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://security-tracker.debian.net/tracker/CVE-2009-0781
Patch: http://svn.apache.org/viewvc?rev=750924&view=rev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkotdbwACgkQNxpp46476aqNMgCeJKI5of2DuyyPIT/m7Ux0Uwxi
f0wAn3L1SyaQvA0I+ii/ityAqzfDeNJR
=WojC
-----END PGP SIGNATURE-----
Bug marked as fixed in version 6.0.20-1.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Mon, 08 Jun 2009 20:45:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#532362; Package tomcat6.
(Sat, 13 Jun 2009 18:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 13 Jun 2009 18:48:05 GMT) (full text, mbox, link).
Message #12 received at 532362@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
also CVE-2008-5515 is now disclosed:
Information Disclosure CVE-2008-5515
When using a RequestDispatcher obtained from the Request, the target path was
normalised before the query string was removed. A request that included a
specially crafted request parameter could be used to access content that would
otherwise be protected by a security constraint or by locating it in under the
WEB-INF directory.
tomcat6: This was fixed in revision 734734[1].
tomcat5: This was fixed in revision 782757[2] and revision 783291[3].
[1] http://svn.apache.org/viewvc?view=rev&revision=734734
[2] http://svn.apache.org/viewvc?view=rev&revision=782757
[3] http://svn.apache.org/viewvc?view=rev&revision=783291
[signature.asc (application/pgp-signature, attachment)]
Bug marked as fixed in version 6.0.20-1.
Request was from Torsten Werner <twerner@debian.org>
to control@bugs.debian.org.
(Thu, 18 Jun 2009 20:30:03 GMT) (full text, mbox, link).
Bug closed, send any further explanations to Giuseppe Iuculano <giuseppe@iuculano.it>
Request was from Torsten Werner <twerner@debian.org>
to control@bugs.debian.org.
(Mon, 06 Jul 2009 20:33:08 GMT) (full text, mbox, link).
Bug Marked as found in versions tomcat6/6.0.18-1.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org.
(Wed, 04 Aug 2010 00:51:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 01 Sep 2010 07:39:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:54:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon