Updated to add additional patches required for 5.5.x and 4.1.x
CVE-2008-5515: Apache Tomcat information disclosure vulnerability
The Apache Software Foundation
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.
For a page that contains:
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +
request.getParameter( "blah" ) ).forward( request, response ); %>
an attacker can use:
This issue was discovered by Iida Minehiko, Fujitsu Limited
Submitting Patches and along with Patches to Ebuild
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0
through 6.0.18, and possibly earlier versions normalizes the target
pathname before filtering the query string when using the
RequestDispatcher method, which allows remote attackers to bypass
intended access restrictions and conduct directory traversal attacks
via .. (dot dot) sequences and the WEB-INF directory in a Request.
Will be added to glsa request.
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
This CVE is already on an existing GLSA request, so added the bug too.
what is the status of this bug? there is no affected version in the tree for quite some time.
This issue was resolved and addressed in
GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).