org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33
through 6.0.37 does not consider the disableURLRewriting setting when
handling a session ID in a URL, which allows remote attackers to conduct
session fixation attacks via a crafted URL.
Affects 6.0.33 - 6.0.37
Current stable version = 6.0.37.
6.0.39 currently in tree.
Maintainer(s): please let us know when the ebuild is ready for stabilization.
Just committed tomcat-6.0.41 and tomcat-7.0.56.
This issue was resolved and addressed in
GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml
by GLSA coordinator Sean Amoss (ackle).