Your message dated Mon, 03 Aug 2009 13:17:52 +0200
with message-id <4a76c760.2000...@better.se>
and subject line closing bugs in tomcat5
has caused the Debian Bug report #532363,
regarding CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache
Tomcat 5 Multiple Vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
532363: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532363
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat5
Version: 5.0.30-12etch1
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for tomcat5.
CVE-2009-0033[0]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when the Java AJP connector and mod_jk load balancing
| are used, allows remote attackers to cause a denial of service
| (application outage) via a crafted request with invalid headers,
| related to temporary blocking of connectors that have encountered
| errors, as demonstrated by an error involving a malformed HTTP Host
| header.
CVE-2009-0580[1]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when FORM authentication is used, allows remote
| attackers to enumerate valid usernames via requests to
| /j_security_check with malformed URL encoding of passwords, related to
| improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
| and (3) JDBCRealm authentication realms, as demonstrated by a %
| (percent) value for the j_password parameter.
CVE-2009-0783[2]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18 permits web applications to replace an XML parser used
| for other web applications, which allows local users to read or modify
| the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
| applications via a crafted application that is loaded earlier than the
| target application.
CVE-2009-0781[3]:
| Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the
| calendar application in the examples web application in Apache Tomcat
| 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18
| allows remote attackers to inject arbitrary web script or HTML via the
| time parameter, related to "invalid HTML."
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://security-tracker.debian.net/tracker/CVE-2009-0033
Patch: http://svn.apache.org/viewvc?rev=742915&view=rev
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://security-tracker.debian.net/tracker/CVE-2009-0580
Patch: http://svn.apache.org/viewvc?rev=747840&view=rev
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://security-tracker.debian.net/tracker/CVE-2009-0783
Patch: http://svn.apache.org/viewvc?rev=652592&view=rev
http://svn.apache.org/viewvc?rev=739522&view=rev
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://security-tracker.debian.net/tracker/CVE-2009-0781
Patch: http://svn.apache.org/viewvc?rev=750924&view=rev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkotdlIACgkQNxpp46476arHcgCeILT38XMFImu8JUg4AoWgfwCJ
Xm4AoILxBkpWM3ElwWUyK73qupIPp2UU
=CgXU
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
tomcat5 has been removed from Debian. This bug does not apply to
tomcat5.5 or tomcat6, or has already been reported or fixed there, so
I'm closing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkp2x2AACgkQXjXn6TzcAQkSNgCgkow5fbA2C+YIQ8Gqssma9web
2poAn25kEBL4V63t+rdrk6zAg62LvypC
=jSjY
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
