Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 517630 (CVE-2014-0033)

Summary: <www-servers/tomcat-{6.0.41,7.0.56}: Session Hijacking Attack (CVE-2014-0033)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://tomcat.apache.org/security-6.html
Whiteboard: C2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 519590    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2014-07-21 00:14:13 UTC 
CVE-2014-0033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033):
  org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33
  through 6.0.37 does not consider the disableURLRewriting setting when
  handling a session ID in a URL, which allows remote attackers to conduct
  session fixation attacks via a crafted URL.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-07-21 00:18:33 UTC 
Affects 6.0.33 - 6.0.37

Current stable version = 6.0.37. 
6.0.39 currently in tree.

Maintainer(s): please let us know when the ebuild is ready for  stabilization.
Comment 2 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2014-11-02 10:23:31 UTC 
Just committed tomcat-6.0.41 and tomcat-7.0.56.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 00:45:31 UTC 
This issue was resolved and addressed in
 GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml
by GLSA coordinator Sean Amoss (ackle).