Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 303719 (CVE-2009-2693) - <www-servers/tomcat-6.0.26: Directory traversal (CVE-2009-{2693,2901,2902})
Summary: <www-servers/tomcat-6.0.26: Directory traversal (CVE-2009-{2693,2901,2902})
Status: RESOLVED FIXED
Alias: CVE-2009-2693
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://tomcat.apache.org/security-6.html
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks: 322979
  Show dependency tree
 
Reported: 2010-02-06 14:37 UTC by Stefan Behte (RETIRED)
Modified: 2012-06-24 14:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 14:37:19 UTC
CVE-2009-2693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2693):
  Directory traversal vulnerability in Apache Tomcat 5.5.0 through
  5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or
  overwrite arbitrary files via a .. (dot dot) in an entry in a WAR
  file, as demonstrated by a ../../bin/catalina.bat entry.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:41:22 UTC
CVE-2009-2901 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2901):
  The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and
  6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase
  files that remain from a failed undeploy, which might allow remote
  attackers to bypass intended authentication requirements via HTTP
  requests.

CVE-2009-2902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2902):
  Directory traversal vulnerability in Apache Tomcat 5.5.0 through
  5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete
  work-directory files via directory traversal sequences in a WAR
  filename, as demonstrated by the ...war filename.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:48:52 UTC
Hi, can you please advice here? Newer versions would be cool...
Comment 3 Alistair Bush (RETIRED) gentoo-dev 2010-03-18 08:28:54 UTC
tomcat 6.0.26 and related tomcat-servlet-api is in the tree.  Could we stablise please?
Comment 4 Petteri Räty (RETIRED) gentoo-dev 2010-03-25 18:40:30 UTC
(In reply to comment #3)
> tomcat 6.0.26 and related tomcat-servlet-api is in the tree.  Could we stablise
> please?
> 

Let's add arches so it happens.
Comment 5 Andreas Schürch gentoo-dev 2010-03-26 13:46:23 UTC
I've tested both packages on x86, looks good.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-03-26 15:32:40 UTC
ppc64 done
Comment 7 Brent Baude (RETIRED) gentoo-dev 2010-03-26 15:42:04 UTC
ppc done
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-29 13:58:54 UTC
x86 stable, thanks Andreas
Comment 9 Markus Meier gentoo-dev 2010-03-29 21:40:52 UTC
amd64 stable, all arches done.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-29 22:09:21 UTC
GLSA request filed.
Comment 11 William L. Thomson Jr. 2011-02-15 02:48:38 UTC
This bug is still open because of why?
Comment 12 Miroslav Šulc gentoo-dev 2011-12-24 20:33:51 UTC
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
Comment 13 Miroslav Šulc gentoo-dev 2012-03-25 20:21:56 UTC
what is the status here? no affected version in the tree for quite some time.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:12:18 UTC
This issue was resolved and addressed in
 GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).