173122 2007-04-02 11:47 0000 www-servers/tomcat directory traversal (CVE-2007-0450) 2007-05-02 03:03:43 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 B4 [glsa] jaervosz P2 minor --- 173150 1 jaervosz@gentoo.org security@gentoo.org java@gentoo.org py@gentoo.org jaervosz@gentoo.org 2007-04-02 11:47:19 0000 Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache. jaervosz@gentoo.org 2007-04-02 11:47:43 0000 Java please advise. jaervosz@gentoo.org 2007-04-02 11:57:12 0000 *** Bug 173125 has been marked as a duplicate of this bug. *** caster@gentoo.org 2007-04-02 12:30:04 0000 It's the maintainer's call :) wltjr@gentoo.org 2007-04-02 13:31:55 0000 I have no problem with stabilization of 5.5.23 or 6.0.10. However both have been migrated to split-ant, and split-ant and etc has not been stabilized yet. So ebuild might need to be modified before stabilized. Now for what's it's worth I can't replicate this problem at all. I have tried on machines that should be vulnerable but aren't At best with the exploit url modified for my domain and etc, I get a blank page. From both 5.5.20, and 6.0.10. But I am all for stabilizing the current versions of Tomcat. 6.0.11 is likely to release later this week. wltjr@gentoo.org 2007-04-02 16:32:59 0000 Ok, 5.5.23 has been updated to be non-split ant aware. So it can be stabilized ASAP once deps are stabilized. To address the security concerns, that I still have yet to be able to replicate. As for 6.0.10, let's hold off. There is a mem leak in the nio code, and an upcoming 6.0.11 with that fix and some others. Not to mention only 5.5.x is stable. So that's our main concern per vulnerability. betelgeuse@gentoo.org 2007-04-02 16:34:27 0000 (In reply to comment #5) > Ok, 5.5.23 has been updated to be non-split ant aware. So it can be stabilized > ASAP once deps are stabilized. To address the security concerns, that I still > have yet to be able to replicate. > Adding arches. fauli@gentoo.org 2007-04-03 07:40:35 0000 x86 stable wltjr@gentoo.org 2007-04-07 00:35:50 0000 amd64 stable betelgeuse@gentoo.org 2007-04-09 00:32:29 0000 (In reply to comment #8) > amd64 stable > Just to note that all arches are done now and security can do their magic. jaervosz@gentoo.org 2007-04-11 10:39:28 0000 Thx. This one is ready for GLSA decision. falco@gentoo.org 2007-04-23 19:57:23 0000 i vote yes since attemps to read parent directories is very common agains webapps. aetius@gentoo.org 2007-04-24 19:49:27 0000 I vote yes, same reason as Falco - very common attack, very common webserver. Changing status and submitting request. falco@gentoo.org 2007-05-02 03:03:43 0000 GLSA 200705-03, thanks everybody