Bug 225477 - www-servers/tomcat <5.5.27 <6.0.18 Information disclosure and XSS (CVE-2008-{1232,1947,2370,2938})
|
Bug#:
225477
(CVE-2008-1947)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: rbu@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://marc.info/?l=tomcat-user&m=121244319501278&w=2
|
|
Summary: www-servers/tomcat <5.5.27 <6.0.18 Information disclosure and XSS (CVE-2008-{1232,1947,2370,2938})
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa]
|
|
Opened: 2008-06-08 23:02 0000
|
CVE-2008-1947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1947):
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through
5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary
web script or HTML via the name parameter (aka the hostname attribute) to
host-manager/html/add.
http://tomcat.apache.org/security-6.html:
"Fixed in Apache Tomcat 6.0.SVN
low: Cross-site scripting CVE-2008-1947
The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application now
filters the data before use. This issue may be mitigated by logging out
(closing the browser) of the application once the management tasks have been
completed.
Affects: 6.0.0-6.0.16"
http://tomcat.apache.org/security-5.html:
"Fixed in Apache Tomcat 5.5.SVN
low: Cross-site scripting CVE-2008-1947
The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application now
filters the data before use. This issue may be mitigated by logging out
(closing the browser) of the application once the management tasks have been
completed.
Affects: 5.5.9-5.5.26"
Seems like a re-occurrence of bug 182262, and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2450
There have been warnings in the ebuild for manager and example apps for a while
now. I don't see a reason or need to take further action. At least till
upstream releases another version. Hopefully with a fix, but with the
re-occurrence of bugs relating to unescaped stuff. I would just assume leave
the warnings for a period even beyond upstream addressing the issue. As I have
since the last bug, and here we have another :)
The new version is out. It fixes another vulnerability:
CVE-2008-1232
Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev
wltjr, there's a 6.0.18 release fixing the three issues. For 5.5, there is none
yet. Do you know if there is one planned for the near future?
I added 6.0.18, I am traveling on business I have no info on 5.5.x at this
time. I will comment when I have more info there.
One more critical vulnerability has been published:
CVE-2008-2938:
Title: Apache Tomcat Directory Traversal Vulnerability
Severity: High
Impact: Remote File Disclosure
Solution: upgrade to 6.0.18
I guess 6.0.18 should go stable as soon as possible.
*** Bug 234441 has been marked as a duplicate of this bug. ***
Stabling of =www-servers/tomcat-6.0.18 is handled in blocking bug. We're still
waiting for the 5.5* release.
5.5.x might see a new release sometime first part of next week.
6.0.18 is stable now, I think we can close the other bug, but will let someone
from security do that. This one can remain.
Still waiting on upstream for 5.5.x. They are having issues with patching and
building. Present status is discussion under a thread on the tomcat -dev ml
called
5.5.27 blocker: URIEncoding UTF-8 broken for 5.5.trunk
So once they resolve that, can build 5.5.27 or what ever version when released.
Not much I can do. I don't think I can even patch the one in tree, based on
what I am seeing going on with upstream. They aren't having an easy time, so I
doubt I will do any better :)
(In reply to comment #10)
> Still waiting on upstream for 5.5.x. They are having issues with patching and
> building.
Thanks, please keep us updated when the issue is resolved.
5.5.27 release testing binaries are out. A full release should be coming in a
couple days. I will bump as soon as upstream stamps and releases 5.5.27
sources.
Anyone able to bump to 5.5.27 ?
As wltjr does not maintain tomcat anymore, I bumped tomcat to 5.5.27. I suppose
this bug should be closed so closing it. If not then pls reopen it.
Miroslav, please do not close security bugs. Also, we're usually handling
stablings on the bug itself.
*** Bug 237409 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable:
=www-servers/tomcat-5.5.27
Target keywords : "amd64 x86"
Created an attachment (id=165211) [details]
www-servers:tomcat-5.5.27:20080911-193515.log
fails on amd64/x86 with ibm-jdk-1.{4,6}.
www-servers/tomcat-5.5.27 [5.5.26] USE="doc examples java5 source test -admin*"
GENTOO_VM=ibm-jdk-bin-1.6 CLASSPATH="" JAVA_HOME="/opt/ibm-jdk-bin-1.6.0.1"
JAVACFLAGS="-source 1.5 -target 1.5" COMPILER="javac"
Portage 2.1.4.4 (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.26.3 x86_64)
=================================================================
System uname: 2.6.26.3 x86_64 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz
Timestamp of tree: Thu, 11 Sep 2008 19:00:01 +0000
app-shells/bash: 3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python: 2.5.2-r7
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.13, 2.61-r2
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils: 2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool: 1.5.26
virtual/os-headers: 2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env
/usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind
/var/lib/hsqldb /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/
/etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/
/etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild
/etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv
usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j2"
PKGDIR="/mnt/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa amd64 apache2 berkdb bluetooth branding bzip2 cairo cdr
cli cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo
examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6
isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap
multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre pdf perl
png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl
session source spell spl sse sse2 ssl startup-notification svg sysfs tcpd test
tiff truetype unicode usb vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000
atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul
mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions
alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file
authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user
autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires
ext_filter file_cache filter headers include info log_config logio mem_cache
mime mime_magic negotiation rewrite setenvif speling status unique_id userdir
usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga
neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG,
LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
The same problem occurs with tomcat-5.5.26 which was made stable. The problem
is tomcat uses Sun specific packages so tomcat will build only with Sun JDKs.
I'll look for a solution that will fail more user friendly.
The problem with com.sun.* packages should be fixed in CVS now. Please also
stabilize java-virtuals/jdk-with-com-sun-20080505-r1, I had to add
blackdown-jdk-1.4.2 to the virtuals so a 1.4 JDK with com.sun.* packages is
available on amd64 systems.
amd64/x86 stable, thanks for the quick responses in #gentoo-java. all arches
done.
both 5.5 and 6.0 are stable, now time to vote... I vote NO glsa.
Shouldn't 5.5.26 get masked?
