CVE-2009-2693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2693): Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.
CVE-2009-2901 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2901): The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. CVE-2009-2902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2902): Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.
Hi, can you please advice here? Newer versions would be cool...
tomcat 6.0.26 and related tomcat-servlet-api is in the tree. Could we stablise please?
(In reply to comment #3) > tomcat 6.0.26 and related tomcat-servlet-api is in the tree. Could we stablise > please? > Let's add arches so it happens.
I've tested both packages on x86, looks good.
ppc64 done
ppc done
x86 stable, thanks Andreas
amd64 stable, all arches done.
GLSA request filed.
This bug is still open because of why?
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
what is the status here? no affected version in the tree for quite some time.
This issue was resolved and addressed in GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml by GLSA coordinator Tobias Heinlein (keytoaster).