Your message dated Mon, 6 Oct 2008 10:09:11 +0200
with message-id <[EMAIL PROTECTED]>
and subject line CVE-2008-1232/CVE-2008-2370: XSS and directory traversal
has caused the Debian Bug report #494504,
regarding CVE-2008-1232/CVE-2008-2370: XSS and directory traversal
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
494504: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494504
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: tomcat5.5
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for tomcat5.5.
CVE-2008-1232[0]:
| Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0
| through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows
| remote attackers to inject arbitrary web script or HTML via a crafted
| string that is used in the message argument to the
| HttpServletResponse.sendError method.
CVE-2008-2370[1]:
| Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0
| through 6.0.16, when a RequestDispatcher is used, performs path
| normalization before removing the query string from the URI, which
| allows remote attackers to conduct directory traversal attacks and
| read arbitrary files via a .. (dot dot) in a request parameter.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Also see the tomcat5.5 summary page[2].
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://security-tracker.debian.net/tracker/CVE-2008-1232
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://security-tracker.debian.net/tracker/CVE-2008-2370
[2] http://tomcat.apache.org/security-5.html
--- End Message ---
--- Begin Message ---
Version: 5.5.26-4
Forgot to close the bug in the upload.
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
