CVE-2007-5333: Tomcat Cookie handling vulnerabilities http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5333 CVE-2007-6286: Tomcat duplicate request processing vulnerability http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6286 CVE-2008-0002: Tomcat information disclosure vulnerability http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0002 Just announced by upstream, links do not work just yet. Tomcat versions not effected have already been committed to tree. Latest release. Not sure if we should look to stabilize them because of these issues. Was a minor bump to latest version on both recently. There is another problem with tomcat-native, per bug 198233. That will need to be resolved before 1.1.12 can be stabilized to resolve CVE-2007-6286.
Thx William. Tomcat 5.5.26 and 6.0.16 is being marked stable on bug #196066. Is tomcat-native-1.1.12 ready for stable marking?
(In reply to comment #1) > > Is tomcat-native-1.1.12 ready for stable marking? > Sorry referenced wrong bug above. tomcat-native presently has the following problem bug 198223. I got the same thing with 1.1.12. 1.1.13 is due to be released any day but do not believe it will effect that or not. Seems to be dep related or possibly use flag. But it used to work, and all of the sudden stopped. Just haven't had time to look into or debug.
We can look to stabilize either tomcat-native 1.1.12 or 1.1.13. Seems the hanging reported in another bug 196066 was just impatience versus a real bug. So shouldn't be holding this one back anymore.
Let's just stabilize 1.1.13 and be done with it all :) CC'ing archs for stabilization. Will go close other bugs.
Adding release
Arches, please test and mark stable: =dev-java/tomcat-native-1.1.13-r1 Target keywords : "amd64 release x86"
x86 stable
dev-java/tomcat-native-1.1.13-r1 installed and ran without problem on my ~amd64 install (along www-servers/tomcat-6.0.14-r1)
Marked stable on amd64.
This one is ready for GLSA vote. I vote NO.
Fixed in release snapshot.
voting no too, and closing.
