Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 188871

Summary: www-servers/tomcat < 6.0.14 multiple vulnerabilities (CVE-2007-338{2,5,6})
Product: Gentoo Security Reporter: William L. Thomson Jr. (RETIRED) <wltjr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/26466/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description William L. Thomson Jr. (RETIRED) gentoo-dev 2007-08-14 17:45:53 UTC 
Severity:
Low (Cross-site scripting)

Vendor:
The Apache Software Foundation

Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24

Description:
The Host Manager Servlet does not filter user supplied data before
display. This enables an XSS attack.

Mitigation:
Log out (close browser) of the Host Manager application once admin
tasks are complete
Upgrade to 6.0.14
Comment 1 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-08-14 17:49:22 UTC 
6.0.14 is in tree, recently requested stabilization of 6.0.13. We might rush stabilize 6.0.14. No changes to package short of upstream code modifications, which mostly seem to be bug fixes and etc.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-24 14:13:22 UTC 
I'll close the others two bugs since they affect the same versions. William, is it okay to call arches for stabling 6.0.14? And what about the 5.x series? please advise.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-24 14:13:53 UTC 
*** Bug 188869 has been marked as a duplicate of this bug. ***
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-24 14:14:31 UTC 
*** Bug 188868 has been marked as a duplicate of this bug. ***
Comment 5 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-08-24 14:32:26 UTC 
(In reply to comment #2)
> I'll close the others two bugs since they affect the same versions. William, is
> it okay to call arches for stabling 6.0.14?

Yes, 6.0.14 is good to go for stabilization.

> And what about the 5.x series? please advise.

Upstream is supposed to do a 5.5.25 release for weeks now. No clue when their will be a release. Till then 5.5.24 is effected by the issues, although they are low severity. They can not run the host manager to avoid one of the issues. The other two are a bit harder, and it's recommended all around to upgrade to 6.0.14.

But some are reluctant :)
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-24 14:46:45 UTC 
thanks for the info.
Arches, please test and mark stable www-servers/tomcat-6.0.14.
Target keywords are: "amd64 ppc ppc64 x86 ~x86-fbsd"
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-24 20:35:22 UTC 
ppc stable
Comment 8 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-08-24 22:27:19 UTC 
Looks like they are about to tag 5.5.25 and release it finally.

http://marc.info/?l=tomcat-dev&m=118798774800543&w=2
Comment 9 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-08-24 23:33:25 UTC 
amd64 stable
Comment 10 Christoph Mende (RETIRED) gentoo-dev 2007-08-28 20:26:05 UTC 
(In reply to comment #9)
> amd64 stable
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2007-08-29 10:18:04 UTC 
ppc64 stable
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-31 21:42:12 UTC 
x86 stable, sorry for the delay, readding ppc64, you forgot dev-java/tomcat-servlet-api-6.0.14
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-09-02 15:06:39 UTC 
thanks opfer. dev-java/tomcat-servlet-api-6.0.14 stable on ppc64
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-08 15:38:44 UTC 
This one is ready for GLSA vote. I vote NO.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-08 15:44:19 UTC 
voting NO too and closing.