Severity: Low (Cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 Description: The Host Manager Servlet does not filter user supplied data before display. This enables an XSS attack. Mitigation: Log out (close browser) of the Host Manager application once admin tasks are complete Upgrade to 6.0.14
6.0.14 is in tree, recently requested stabilization of 6.0.13. We might rush stabilize 6.0.14. No changes to package short of upstream code modifications, which mostly seem to be bug fixes and etc.
I'll close the others two bugs since they affect the same versions. William, is it okay to call arches for stabling 6.0.14? And what about the 5.x series? please advise.
*** Bug 188869 has been marked as a duplicate of this bug. ***
*** Bug 188868 has been marked as a duplicate of this bug. ***
(In reply to comment #2) > I'll close the others two bugs since they affect the same versions. William, is > it okay to call arches for stabling 6.0.14? Yes, 6.0.14 is good to go for stabilization. > And what about the 5.x series? please advise. Upstream is supposed to do a 5.5.25 release for weeks now. No clue when their will be a release. Till then 5.5.24 is effected by the issues, although they are low severity. They can not run the host manager to avoid one of the issues. The other two are a bit harder, and it's recommended all around to upgrade to 6.0.14. But some are reluctant :)
thanks for the info. Arches, please test and mark stable www-servers/tomcat-6.0.14. Target keywords are: "amd64 ppc ppc64 x86 ~x86-fbsd"
ppc stable
Looks like they are about to tag 5.5.25 and release it finally. http://marc.info/?l=tomcat-dev&m=118798774800543&w=2
amd64 stable
(In reply to comment #9) > amd64 stable
ppc64 stable
x86 stable, sorry for the delay, readding ppc64, you forgot dev-java/tomcat-servlet-api-6.0.14
thanks opfer. dev-java/tomcat-servlet-api-6.0.14 stable on ppc64
This one is ready for GLSA vote. I vote NO.
voting NO too and closing.