Low: Information disclosure CVE-2011-2204 When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in the JMX client that includes the user's password. This error message is also written to the Tomcat logs. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users that do not have these permissions but are able to read log files may be able to discover a user's password. The 7.x commit is at $URL.
Sorry for the bugspam, more commits for 6.x and 5.x. - 6.0.x: http://svn.apache.org/viewvc?rev=1140071&view=rev - 5.5.x: http://svn.apache.org/viewvc?rev=1140072&view=rev
CVE-2011-2204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2204): Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.
For the stable request, please view bug 386213.
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
Thanks, folks. GLSA Vote: no.
On existing GLSA request.
no affected version in the tree anymore
This issue was resolved and addressed in GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml by GLSA coordinator Tobias Heinlein (keytoaster).
