Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Tomcat 5.5 Vulnerabilities (http://www.linux-archive.org/debian-user/507404-tomcat-5-5-vulnerabilities.html)

Johan Karlsson 03-30-2011 09:08 AM
Tomcat 5.5 Vulnerabilities
 
Hi,

I'm trying to figure the Tomcat 5.5 Security Update that was announced on the security list earlier today:

-----------------------------
Package : tomcat5.5
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2009-2693 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227

Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found at http://tomcat.apache.org/security-5.html.
-----------------------------

They list CVEs as far back as 2008, which got me curious.

The latest important tomcat 5.5 vulnerability in the list is:

Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227

According to the Apache Tomcat site:

"This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010." It was fixed in the SVN branch on 30 Jun 2010 (thus prior to the public announcement).

The first CVE in the list is CVE-2008-5515, and according to the Apache Tomcat site:

"This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009." It was fixed in SVN on 10 Jun 2009.

I searched for "tomcat" in my Debian security list mail folder and the previous Tomcat 5.5 Debian security announcement was on 2008-06-09.

So.. everything points to Tomcat 5.5 being unpached in Debian for 3 years now, despite several more or less severe security vulnerabilities (several are classified as "important" on the Apache Tomcat site). Can this really be true?

Regards,

Johan Karlsson


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 7E30D8226BA9A6409900813063AF50AF72CD38@WIN03.ad.de ltamanagement.se">http://lists.debian.org/7E30D8226BA9A6409900813063AF50AF72CD38@WIN03.ad.de ltamanagement.se

Camaleón 03-30-2011 07:17 PM
Tomcat 5.5 Vulnerabilities
 
On Wed, 30 Mar 2011 09:08:04 +0000, Johan Karlsson wrote:

> I'm trying to figure the Tomcat 5.5 Security Update that was announced
> on the security list earlier today:
>
> -----------------------------
> Package : tomcat5.5
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781
> CVE-2009-0783 CVE-2009-2693 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227

(...)

> I searched for "tomcat" in my Debian security list mail folder and the
> previous Tomcat 5.5 Debian security announcement was on 2008-06-09.
>
> So.. everything points to Tomcat 5.5 being unpached in Debian for 3
> years now, despite several more or less severe security vulnerabilities
> (several are classified as "important" on the Apache Tomcat site). Can
> this really be true?

It looks a bit strange, yep :-?

I would ask in debian security mailing list about this matter:

http://lists.debian.org/debian-security/

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.03.30.19.17.13@gmail.com">http://lists.debian.org/pan.2011.03.30.19.17.13@gmail.com


All times are GMT. The time now is 01:30 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.