Your message dated Wed, 15 Oct 2008 13:17:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496309: fixed in tomcat5.5 5.5.26-5
has caused the Debian Bug report #496309,
regarding CVE-2008-2938: arbitrary file access
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
496309: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496309
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: tomcat5.5
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tomcat5.5.
CVE-2008-2938[0]:
| Directory traversal vulnerability in Apache Tomcat 4.1.0 through
| 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when
| allowLinking and UTF-8 are enabled, allows remote attackers to read
| arbitrary files via encoded directory traversal sequences in the URI,
| a different vulnerability than CVE-2008-2370. NOTE: versions earlier
| than 6.0.18 were reported affected, but the vendor advisory lists
| 6.0.16 as the last affected version.
The upstream advisory can be found here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
http://security-tracker.debian.net/tracker/CVE-2008-2938
[1] http://tomcat.apache.org/security-5.html
--- End Message ---
--- Begin Message ---
Source: tomcat5.5
Source-Version: 5.5.26-5
We believe that the bug you reported is fixed in the latest version of
tomcat5.5, which is due to be installed in the Debian FTP archive:
libtomcat5.5-java_5.5.26-5_all.deb
to pool/main/t/tomcat5.5/libtomcat5.5-java_5.5.26-5_all.deb
tomcat5.5-admin_5.5.26-5_all.deb
to pool/main/t/tomcat5.5/tomcat5.5-admin_5.5.26-5_all.deb
tomcat5.5-webapps_5.5.26-5_all.deb
to pool/main/t/tomcat5.5/tomcat5.5-webapps_5.5.26-5_all.deb
tomcat5.5_5.5.26-5.diff.gz
to pool/main/t/tomcat5.5/tomcat5.5_5.5.26-5.diff.gz
tomcat5.5_5.5.26-5.dsc
to pool/main/t/tomcat5.5/tomcat5.5_5.5.26-5.dsc
tomcat5.5_5.5.26-5_all.deb
to pool/main/t/tomcat5.5/tomcat5.5_5.5.26-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[EMAIL PROTECTED]> (supplier of updated tomcat5.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 15 Oct 2008 14:00:39 +0200
Source: tomcat5.5
Binary: tomcat5.5 libtomcat5.5-java tomcat5.5-webapps tomcat5.5-admin
Architecture: source all
Version: 5.5.26-5
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Matthias Klose <[EMAIL PROTECTED]>
Description:
libtomcat5.5-java - Java Servlet engine -- core libraries
tomcat5.5 - Servlet and JSP engine
tomcat5.5-admin - Java Servlet engine -- admin & manager web interfaces
tomcat5.5-webapps - Java Servlet engine -- documentation and example web
applications
Closes: 495235 496309 498487
Changes:
tomcat5.5 (5.5.26-5) unstable; urgency=medium
.
* Merge changes from Ubuntu:
- Use default-jre-headless, default-jdk as preferred alternatives.
- tomcat5.5.init: Fix JDK list to match default-jre, java-6-openjdk
and java-6-cacao. Closes: #495235.
- tomcat5.5.postinst: Removed superfluous /etc/tomcat5.5/tomcat5.5 linking.
Closes: #498487.
* debian/copyright: Reference Apache 2.0 license in
/usr/share/common/licenses
.
tomcat5.5 (5.5.26-4) unstable; urgency=high
.
* Security issues fixed.
- CVE-2008-1232: Cross-site scripting
- CVE-2008-2370: Information disclosure
- CVE-2008-2938: Directory traversal. Closes: #496309.
Checksums-Sha1:
7de1f36c6d2504d2b54b1636eeaf36789925a25b 1739 tomcat5.5_5.5.26-5.dsc
8f4304366fc5a9400ff46c5da37733a1d529cfbd 29457 tomcat5.5_5.5.26-5.diff.gz
635ff0b5c1091649aef812e52f17e9d08129fb36 57274 tomcat5.5_5.5.26-5_all.deb
cad0df70cce8ffc1103ccf6aa0e3166ad18fd163 2483868
libtomcat5.5-java_5.5.26-5_all.deb
8547436a93a652572c25414719f57766cc3bd976 1489126
tomcat5.5-webapps_5.5.26-5_all.deb
8d51118c1cf5b87a0f1b0ff5575709dbca8e3b27 1139410
tomcat5.5-admin_5.5.26-5_all.deb
Checksums-Sha256:
8504cb254dca9ea6f25ada458f4080a3dd285a24a85e625e0fc901ac1a6f0ffb 1739
tomcat5.5_5.5.26-5.dsc
69a96130b2488006957ea38b848f1f4d4f8be8ee568b3fea722e52a837ef8048 29457
tomcat5.5_5.5.26-5.diff.gz
d1a3d918391093a5c98d9eec17facfbc1f94745e4b7d71c5c87f6bca17163f33 57274
tomcat5.5_5.5.26-5_all.deb
11225ea5b8a264d5dc1fe0c24a5ffbf24d0aebc50956a8e88f8ba3df220a59f2 2483868
libtomcat5.5-java_5.5.26-5_all.deb
2125348e5983898fd2296316e1738f8f0da46cb0c5e97f96b0ea8977737808bf 1489126
tomcat5.5-webapps_5.5.26-5_all.deb
da073c8c0b8a46a66faab0c75e3c2226002d9283adcf979213c2dd4e84655058 1139410
tomcat5.5-admin_5.5.26-5_all.deb
Files:
140df5eb9c0c28d292fbd6e5724e80e2 1739 web optional tomcat5.5_5.5.26-5.dsc
a4445879b234f6f494dbd065351663e9 29457 web optional tomcat5.5_5.5.26-5.diff.gz
19fb44943dba3a20e8251d1851e845d7 57274 web optional tomcat5.5_5.5.26-5_all.deb
f6ab3345a4255cf34901218e2c61b646 2483868 web optional
libtomcat5.5-java_5.5.26-5_all.deb
2ccbaf003fbc79ce507ee74e0da0105c 1489126 web optional
tomcat5.5-webapps_5.5.26-5_all.deb
33f273fad383f5bf6894b9f4d3946051 1139410 web optional
tomcat5.5-admin_5.5.26-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj16YgACgkQStlRaw+TLJyGMQCdFrPR89fMsnJpYOJcLb71uKHy
B9QAmQG01SchYCC2pqiayyqk+Gkl6y8d
=mePn
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
pkg-java-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
