Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 188871
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: William L. Thomson Jr. (RETIRED) <wltjr@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 188871 depends on: Show dependency tree
Bug 188871 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-08-14 17:45 0000 
Severity:
Low (Cross-site scripting)

Vendor:
The Apache Software Foundation

Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24

Description:
The Host Manager Servlet does not filter user supplied data before
display. This enables an XSS attack.

Mitigation:
Log out (close browser) of the Host Manager application once admin
tasks are complete
Upgrade to 6.0.14

------- Comment #1 From William L. Thomson Jr. (RETIRED) 2007-08-14 17:49:22 0000 ------- 
6.0.14 is in tree, recently requested stabilization of 6.0.13. We might rush
stabilize 6.0.14. No changes to package short of upstream code modifications,
which mostly seem to be bug fixes and etc.

------- Comment #2 From Pierre-Yves Rofes 2007-08-24 14:13:22 0000 ------- 
I'll close the others two bugs since they affect the same versions. William, is
it okay to call arches for stabling 6.0.14? And what about the 5.x series?
please advise.

------- Comment #3 From Pierre-Yves Rofes 2007-08-24 14:13:53 0000 ------- 
*** Bug 188869 has been marked as a duplicate of this bug. ***

------- Comment #4 From Pierre-Yves Rofes 2007-08-24 14:14:31 0000 ------- 
*** Bug 188868 has been marked as a duplicate of this bug. ***

------- Comment #5 From William L. Thomson Jr. (RETIRED) 2007-08-24 14:32:26 0000 ------- 
(In reply to comment #2)
> I'll close the others two bugs since they affect the same versions. William, is
> it okay to call arches for stabling 6.0.14?

Yes, 6.0.14 is good to go for stabilization.

> And what about the 5.x series? please advise.

Upstream is supposed to do a 5.5.25 release for weeks now. No clue when their
will be a release. Till then 5.5.24 is effected by the issues, although they
are low severity. They can not run the host manager to avoid one of the issues.
The other two are a bit harder, and it's recommended all around to upgrade to
6.0.14.

But some are reluctant :)

------- Comment #6 From Pierre-Yves Rofes 2007-08-24 14:46:45 0000 ------- 
thanks for the info.
Arches, please test and mark stable www-servers/tomcat-6.0.14.
Target keywords are: "amd64 ppc ppc64 x86 ~x86-fbsd"

------- Comment #7 From Tobias Scherbaum 2007-08-24 20:35:22 0000 ------- 
ppc stable

------- Comment #8 From William L. Thomson Jr. (RETIRED) 2007-08-24 22:27:19 0000 ------- 
Looks like they are about to tag 5.5.25 and release it finally.

http://marc.info/?l=tomcat-dev&m=118798774800543&w=2

------- Comment #9 From William L. Thomson Jr. (RETIRED) 2007-08-24 23:33:25 0000 ------- 
amd64 stable

------- Comment #10 From Christoph Mende 2007-08-28 20:26:05 0000 ------- 
(In reply to comment #9)
> amd64 stable

------- Comment #11 From Markus Rothe 2007-08-29 10:18:04 0000 ------- 
ppc64 stable

------- Comment #12 From Christian Faulhammer 2007-08-31 21:42:12 0000 ------- 
x86 stable, sorry for the delay, readding ppc64, you forgot
dev-java/tomcat-servlet-api-6.0.14

------- Comment #13 From Markus Rothe 2007-09-02 15:06:39 0000 ------- 
thanks opfer. dev-java/tomcat-servlet-api-6.0.14 stable on ppc64

------- Comment #14 From Sune Kloppenborg Jeppesen 2007-09-08 15:38:44 0000 ------- 
This one is ready for GLSA vote. I vote NO.

------- Comment #15 From Pierre-Yves Rofes 2007-09-08 15:44:19 0000 ------- 
voting NO too and closing.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug