FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-30-2011, 09:08 AM
Johan Karlsson
 
Default Tomcat 5.5 Vulnerabilities

Hi,

I'm trying to figure the Tomcat 5.5 Security Update that was announced on the security list earlier today:

-----------------------------
Package : tomcat5.5
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2009-2693 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227

Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found at http://tomcat.apache.org/security-5.html.
-----------------------------

They list CVEs as far back as 2008, which got me curious.

The latest important tomcat 5.5 vulnerability in the list is:

Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227

According to the Apache Tomcat site:

"This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010." It was fixed in the SVN branch on 30 Jun 2010 (thus prior to the public announcement).

The first CVE in the list is CVE-2008-5515, and according to the Apache Tomcat site:

"This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009." It was fixed in SVN on 10 Jun 2009.

I searched for "tomcat" in my Debian security list mail folder and the previous Tomcat 5.5 Debian security announcement was on 2008-06-09.

So.. everything points to Tomcat 5.5 being unpached in Debian for 3 years now, despite several more or less severe security vulnerabilities (several are classified as "important" on the Apache Tomcat site). Can this really be true?

Regards,

Johan Karlsson


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 7E30D8226BA9A6409900813063AF50AF72CD38@WIN03.ad.de ltamanagement.se">http://lists.debian.org/7E30D8226BA9A6409900813063AF50AF72CD38@WIN03.ad.de ltamanagement.se
 
Old 03-30-2011, 07:17 PM
Camaleón
 
Default Tomcat 5.5 Vulnerabilities

On Wed, 30 Mar 2011 09:08:04 +0000, Johan Karlsson wrote:

> I'm trying to figure the Tomcat 5.5 Security Update that was announced
> on the security list earlier today:
>
> -----------------------------
> Package : tomcat5.5
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781
> CVE-2009-0783 CVE-2009-2693 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227

(...)

> I searched for "tomcat" in my Debian security list mail folder and the
> previous Tomcat 5.5 Debian security announcement was on 2008-06-09.
>
> So.. everything points to Tomcat 5.5 being unpached in Debian for 3
> years now, despite several more or less severe security vulnerabilities
> (several are classified as "important" on the Apache Tomcat site). Can
> this really be true?

It looks a bit strange, yep :-?

I would ask in debian security mailing list about this matter:

http://lists.debian.org/debian-security/

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.03.30.19.17.13@gmail.com">http://lists.debian.org/pan.2011.03.30.19.17.13@gmail.com
 

Thread Tools




All times are GMT. The time now is 11:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org