CVE-2008-1947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1947): Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.
http://tomcat.apache.org/security-6.html: "Fixed in Apache Tomcat 6.0.SVN low: Cross-site scripting CVE-2008-1947 The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed. Affects: 6.0.0-6.0.16" http://tomcat.apache.org/security-5.html: "Fixed in Apache Tomcat 5.5.SVN low: Cross-site scripting CVE-2008-1947 The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed. Affects: 5.5.9-5.5.26"
Seems like a re-occurrence of bug 182262, and http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2450 There have been warnings in the ebuild for manager and example apps for a while now. I don't see a reason or need to take further action. At least till upstream releases another version. Hopefully with a fix, but with the re-occurrence of bugs relating to unescaped stuff. I would just assume leave the warnings for a period even beyond upstream addressing the issue. As I have since the last bug, and here we have another :)
The new version is out. It fixes another vulnerability: CVE-2008-1232 Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should obtain the latest source from svn or apply this patch which will be included from 5.5.27 http://svn.apache.org/viewvc?rev=680947&view=rev
wltjr, there's a 6.0.18 release fixing the three issues. For 5.5, there is none yet. Do you know if there is one planned for the near future?
I added 6.0.18, I am traveling on business I have no info on 5.5.x at this time. I will comment when I have more info there.
One more critical vulnerability has been published: CVE-2008-2938: Title: Apache Tomcat Directory Traversal Vulnerability Severity: High Impact: Remote File Disclosure Solution: upgrade to 6.0.18 I guess 6.0.18 should go stable as soon as possible.
*** Bug 234441 has been marked as a duplicate of this bug. ***
Stabling of =www-servers/tomcat-6.0.18 is handled in blocking bug. We're still waiting for the 5.5* release.
5.5.x might see a new release sometime first part of next week.
6.0.18 is stable now, I think we can close the other bug, but will let someone from security do that. This one can remain. Still waiting on upstream for 5.5.x. They are having issues with patching and building. Present status is discussion under a thread on the tomcat -dev ml called 5.5.27 blocker: URIEncoding UTF-8 broken for 5.5.trunk So once they resolve that, can build 5.5.27 or what ever version when released. Not much I can do. I don't think I can even patch the one in tree, based on what I am seeing going on with upstream. They aren't having an easy time, so I doubt I will do any better :)
(In reply to comment #10) > Still waiting on upstream for 5.5.x. They are having issues with patching and > building. Thanks, please keep us updated when the issue is resolved.
5.5.27 release testing binaries are out. A full release should be coming in a couple days. I will bump as soon as upstream stamps and releases 5.5.27 sources.
Anyone able to bump to 5.5.27 ?
As wltjr does not maintain tomcat anymore, I bumped tomcat to 5.5.27. I suppose this bug should be closed so closing it. If not then pls reopen it.
Miroslav, please do not close security bugs. Also, we're usually handling stablings on the bug itself.
(reopening)
*** Bug 237409 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable: =www-servers/tomcat-5.5.27 Target keywords : "amd64 x86"
Created attachment 165211 [details] www-servers:tomcat-5.5.27:20080911-193515.log fails on amd64/x86 with ibm-jdk-1.{4,6}. www-servers/tomcat-5.5.27 [5.5.26] USE="doc examples java5 source test -admin*" GENTOO_VM=ibm-jdk-bin-1.6 CLASSPATH="" JAVA_HOME="/opt/ibm-jdk-bin-1.6.0.1" JAVACFLAGS="-source 1.5 -target 1.5" COMPILER="javac" Portage 2.1.4.4 (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.26.3 x86_64) ================================================================= System uname: 2.6.26.3 x86_64 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz Timestamp of tree: Thu, 11 Sep 2008 19:00:01 +0000 app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/mnt/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl sse sse2 ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
The same problem occurs with tomcat-5.5.26 which was made stable. The problem is tomcat uses Sun specific packages so tomcat will build only with Sun JDKs. I'll look for a solution that will fail more user friendly.
The problem with com.sun.* packages should be fixed in CVS now. Please also stabilize java-virtuals/jdk-with-com-sun-20080505-r1, I had to add blackdown-jdk-1.4.2 to the virtuals so a 1.4 JDK with com.sun.* packages is available on amd64 systems.
amd64/x86 stable, thanks for the quick responses in #gentoo-java. all arches done.
both 5.5 and 6.0 are stable, now time to vote... I vote NO glsa.
Shouldn't 5.5.26 get masked?
NO as well, closing.
