Summary: | <www-servers/tomcat-{5.5.27-r3, 6.0.18-r3}: XSS (CVE-2009-0781) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mike Weissman <mike> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | java |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://tomcat.apache.org/security.html | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Mike Weissman
2009-03-06 17:16:00 UTC
submitted as revision 7597 in [java-experimental] Thanks, weisso +*tomcat-6.0.18-r3 (06 Mar 2009) +*tomcat-5.5.27-r3 (06 Mar 2009) + + 06 Mar 2009; Petteri Räty <betelgeuse@gentoo.org> + +files/5.5/examples-cal.patch, +files/6/examples-cal.patch, + +tomcat-5.5.27-r3.ebuild, +tomcat-6.0.18-r3.ebuild: + Add patch for XSS issue in examples for security bug #261460. Use use deps + in 5.5. + Arches, please test and mark stable: =www-servers/tomcat-6.0.18-r3 =www-servers/tomcat-5.5.27-r3 Target keywords : "amd64 ppc ppc64 x86" amd64/x86 stable ppc64 done CVE-2009-0781 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0781): Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." ppc done Ready for GLSA voting, I say NO. NO too, closing. |