Severity: Low (Session Hi-jacking) Vendor: The Apache Software Foundation Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 5.0.0 to 5.0.30 4.1.0 to 4.1.36 3.3 to 3.3.2 Description: Tomcat incorrectly treats a single quote character (') in a cookie value as a delimiter. In some circumstances this can lead to the leaking of information such as session ID to an attacker. Mitigation: Upgrade to 6.0.14
6.0.14 is in tree, recently requested stabilization of 6.0.13. We might rush stabilize 6.0.14. No changes to package short of upstream code modifications, which mostly seem to be bug fixes and etc.
*** This bug has been marked as a duplicate of bug 188871 ***