Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209410 (CVE-2007-5333) - dev-java/tomcat-native <1.1.13-r1 Multiple vulnerabilities (CVE-2007-{5333,6286}, CVE-2008-0002)
Summary: dev-java/tomcat-native <1.1.13-r1 Multiple vulnerabilities (CVE-2007-{5333,62...
Alias: CVE-2007-5333
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3? [noglsa]
Depends on: 198223
Blocks: CVE-2007-5461
  Show dependency tree
Reported: 2008-02-09 04:37 UTC by William L. Thomson Jr. (RETIRED)
Modified: 2008-03-21 02:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-09 04:37:19 UTC
CVE-2007-5333: Tomcat Cookie handling vulnerabilities

CVE-2007-6286: Tomcat duplicate request processing vulnerability

CVE-2008-0002: Tomcat information disclosure vulnerability

Just announced by upstream, links do not work just yet. Tomcat versions not effected have already been committed to tree. Latest release. Not sure if we should look to stabilize them because of these issues. Was a minor bump to latest version on both recently.

There is another problem with tomcat-native, per bug 198233. That will need to be resolved before 1.1.12 can be stabilized to resolve CVE-2007-6286.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 15:08:23 UTC
Thx William.

Tomcat 5.5.26 and 6.0.16 is being marked stable on bug #196066.

Is tomcat-native-1.1.12 ready for stable marking?
Comment 2 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-10 16:33:04 UTC
(In reply to comment #1)
> Is tomcat-native-1.1.12 ready for stable marking?

Sorry referenced wrong bug above. tomcat-native presently has the following problem bug 198223. I got the same thing with 1.1.12. 1.1.13 is due to be released any day but do not believe it will effect that or not.

Seems to be dep related or possibly use flag. But it used to work, and all of the sudden stopped. Just haven't had time to look into or debug.
Comment 3 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-26 17:08:10 UTC
We can look to stabilize either tomcat-native 1.1.12 or 1.1.13. Seems the hanging reported in another bug 196066 was just impatience versus a real bug. So shouldn't be holding this one back anymore.
Comment 4 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-26 17:39:46 UTC
Let's just stabilize 1.1.13 and be done with it all :) CC'ing archs for stabilization. Will go close other bugs.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 18:33:17 UTC
Adding release
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 18:35:10 UTC
Arches, please test and mark stable:
Target keywords : "amd64 release x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-27 09:18:10 UTC
x86 stable
Comment 8 François Périchon 2008-02-29 10:09:32 UTC
dev-java/tomcat-native-1.1.13-r1 installed and ran without problem on my ~amd64 install (along www-servers/tomcat-6.0.14-r1)
Comment 9 Wulf Krueger (RETIRED) gentoo-dev 2008-03-02 14:15:59 UTC
Marked stable on amd64.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-03-02 15:28:01 UTC
This one is ready for GLSA vote. I vote NO.
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-03-02 16:20:31 UTC
Fixed in release snapshot.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-07 22:55:07 UTC
voting no too, and closing.