| Summary: | www-servers/tomcat < 5.5.22 or < 6.0.10 directory traversal (CVE-2007-0450) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Pierre-Yves Rofes (RETIRED) <py> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | minor | CC: | java, wltjr |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/24732/ | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Duping this one as we already have bug #173122. Uncalling arches until we have a green light from java. *** This bug has been marked as a duplicate of bug 173122 *** |
D. Matscheko has reported a security issue in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions. If Tomcat is running behind a proxy with context restriction, an error within the handling of certain path delimiters in requests ('2F', '%5C', and '\') can be exploited to bypass the context restrictions and may allow access to non-proxied contexts. The security issue is reported in versions 5.5.0 to 5.5.21, 5.0.0 to 5.5.0.30, and 6.0.0 to 6.0.9. arches, please mark versions 5.5.23 and 6.0.10-r1 stable: keywords for 5.5.23: "~amd64 ppc ppc64 ~x86 ~x86-fbsd" keywords for 6.0.10-r1: "~amd64 ~ppc ~x86 ~x86-fbsd"