On Fri, Sep 07, 2007 at 02:42:13PM +0200, Nico Golde wrote: > Package: tomcat5-webapps > Version: 5.0.30-12 > Severity: minor > Tags: security > > Hi, > a CVE[0] has been issued against your package. > CVE-2007-4724: > Cross-site request forgery (CSRF) vulnerability in cal2.jsp > in the calendar examples application in Apache Tomcat 4.1.31 > allows remote attackers to add events as arbitrary users via > the time and description parameters. > > I verified that this isse is present in etch however it is > fixed in tomcat5.5-webapps in unstable and testing. > Please include the CVE id in the changelog if you fix this > issue. > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4724
I identified what needs to be fixed, finally. Problem is that the affected file (cal2.jsp) is included in tomcat5 source but during build of it it gets copied over from libservlet2.4-java package. So at least 2 source packages are affected by this. I will speak with the SRMs about this how to fix this in stable. In unstable is affected only libservlet2.4-java (the examples of it, to be concrete). Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]