CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2 Severity: Important Vendor: Multiple (was The Apache Software Foundation) Versions Affected: Various Description (new information): This vulnerability was originally reported to the Apache Software Foundation as a Tomcat vulnerability. Investigations quickly identified that the root cause was an issue with the UTF-8 charset implementation within the JVM. The issue existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and Apache. It was decided to continue to report this as a Tomcat vulnerability until such time as the JVM vendors had released fixed versions. Unfortunately, the release of fixed JVMs and associated vulnerability disclosure has not been co-ordinated. There has been some confusion within the user community as to the nature and root cause of CVE-2008-2938. Therefore, the Apache Tomcat Security Team is issuing this update to clarify the situation. Mitigation: Contact your JVM vendor for further information. Tomcat users may upgrade as follows to a Tomcat version that contains a workaround: 6.0.x users should upgrade to 6.0.18 5.5.x users should upgrade to 5.5.27 4.1.x users should upgrade to 4.1.39 Credit: This additional information was discovered by the Apache security team. References: http://tomcat.apache.org/security.html The current "work around" is implemented in certain Tomcat Versions, thus some of effected ebuilds should be masked: Should Be Masked: tomcat-5.5.26 tomcat-6.0.16 Are Fine: tomcat-5.5.27-r1 tomcat-6.0.18-r1 Reproducible: Always Steps to Reproduce: If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files on the server. If the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files within the docBase of a context such as web.xml. It should also be noted that setting useBodyEncodingForURI="true" has the same effect as setting URIEncoding="UTF-8" when processing requests with bodies encoded with UTF-8.
I'm not entirely sure what this bug is about. We accepted CVE-2008-2938 to be an issue within Tomcat (as did upstream) and resolved it with updates to 6.0.18 and 5.5.27 per bug 225477. Is there any news I am missing (except that the old ebuilds might not have been removed yet)?
(In reply to comment #1) > I'm not entirely sure what this bug is about. We accepted CVE-2008-2938 to be > an issue within Tomcat (as did upstream) and resolved it with updates to 6.0.18 > and 5.5.27 per bug 225477. > > Is there any news I am missing (except that the old ebuilds might not have been > removed yet)? > I read the other bug, and i felt that requesting that the effected packages be masked or at least marked unstable would be highjacking the closed bug. Also the Tomcat team is still unsure of: "the release of fixed JVMs and associated vulnerability disclosure has not been co-ordinated." So I didn't feel that issue was actually completely done with. Thanks, Mike
Old versions are marked vulnerable by GLSA, removal is subject to java team guidelines.
(In reply to comment #3) > Old versions are marked vulnerable by GLSA, removal is subject to java team > guidelines. > Old ebuilds nuked so I guess we are done here.