Debian Bug report logs -
#532363
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 5 Multiple Vulnerabilities
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Mon, 8 Jun 2009 20:39:02 UTC
Severity: serious
Tags: patch, security
Found in version tomcat5/5.0.30-12etch4
Done: Marcus Better <marcus@better.se>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#532363; Package tomcat5.
(Mon, 08 Jun 2009 20:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 08 Jun 2009 20:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tomcat5
Version: 5.0.30-12etch4
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for tomcat5.
CVE-2009-0033[0]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when the Java AJP connector and mod_jk load balancing
| are used, allows remote attackers to cause a denial of service
| (application outage) via a crafted request with invalid headers,
| related to temporary blocking of connectors that have encountered
| errors, as demonstrated by an error involving a malformed HTTP Host
| header.
CVE-2009-0580[1]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when FORM authentication is used, allows remote
| attackers to enumerate valid usernames via requests to
| /j_security_check with malformed URL encoding of passwords, related to
| improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
| and (3) JDBCRealm authentication realms, as demonstrated by a %
| (percent) value for the j_password parameter.
CVE-2009-0783[2]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18 permits web applications to replace an XML parser used
| for other web applications, which allows local users to read or modify
| the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
| applications via a crafted application that is loaded earlier than the
| target application.
CVE-2009-0781[3]:
| Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the
| calendar application in the examples web application in Apache Tomcat
| 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18
| allows remote attackers to inject arbitrary web script or HTML via the
| time parameter, related to "invalid HTML."
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://security-tracker.debian.net/tracker/CVE-2009-0033
Patch: http://svn.apache.org/viewvc?rev=742915&view=rev
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://security-tracker.debian.net/tracker/CVE-2009-0580
Patch: http://svn.apache.org/viewvc?rev=747840&view=rev
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://security-tracker.debian.net/tracker/CVE-2009-0783
Patch: http://svn.apache.org/viewvc?rev=652592&view=rev http://svn.apache.org/viewvc?rev=739522&view=rev
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://security-tracker.debian.net/tracker/CVE-2009-0781
Patch: http://svn.apache.org/viewvc?rev=750924&view=rev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkotdlIACgkQNxpp46476arHcgCeILT38XMFImu8JUg4AoWgfwCJ
Xm4AoILxBkpWM3ElwWUyK73qupIPp2UU
=CgXU
-----END PGP SIGNATURE-----
Bug 532363 cloned as bug 532366.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Mon, 08 Jun 2009 20:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#532363; Package tomcat5.
(Sat, 13 Jun 2009 18:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 13 Jun 2009 18:48:06 GMT) (full text, mbox, link).
Message #12 received at 532363@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
also CVE-2008-5515 is now disclosed:
Information Disclosure CVE-2008-5515
When using a RequestDispatcher obtained from the Request, the target path was
normalised before the query string was removed. A request that included a
specially crafted request parameter could be used to access content that would
otherwise be protected by a security constraint or by locating it in under the
WEB-INF directory.
tomcat6: This was fixed in revision 734734[1].
tomcat5: This was fixed in revision 782757[2] and revision 783291[3].
[1] http://svn.apache.org/viewvc?view=rev&revision=734734
[2] http://svn.apache.org/viewvc?view=rev&revision=782757
[3] http://svn.apache.org/viewvc?view=rev&revision=783291
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Marcus Better <marcus@better.se>:
You have taken responsibility.
(Mon, 03 Aug 2009 11:27:41 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Mon, 03 Aug 2009 11:27:41 GMT) (full text, mbox, link).
Message #17 received at 532363-done@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
tomcat5 has been removed from Debian. This bug does not apply to
tomcat5.5 or tomcat6, or has already been reported or fixed there, so
I'm closing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkp2x2AACgkQXjXn6TzcAQkSNgCgkow5fbA2C+YIQ8Gqssma9web
2poAn25kEBL4V63t+rdrk6zAg62LvypC
=jSjY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 01 Sep 2009 07:37:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:26:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon