Updated to add additional patches required for 5.5.x and 4.1.x CVE-2008-5515: Apache Tomcat information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 Description: When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Example: For a page that contains: <% request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" + request.getParameter( "blah" ) ).forward( request, response ); %> an attacker can use: http://host/page.jsp?blah=/../WEB-INF/web.xml Credit: This issue was discovered by Iida Minehiko, Fujitsu Limited Submitting Patches and along with Patches to Ebuild Reproducible: Always
CVE-2008-5515 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5515): Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
Will be added to glsa request.
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
This CVE is already on an existing GLSA request, so added the bug too.
what is the status of this bug? there is no affected version in the tree for quite some time.
This issue was resolved and addressed in GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml by GLSA coordinator Tobias Heinlein (keytoaster).