Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517630 (CVE-2014-0033) - <www-servers/tomcat-{6.0.41,7.0.56}: Session Hijacking Attack (CVE-2014-0033)
Summary: <www-servers/tomcat-{6.0.41,7.0.56}: Session Hijacking Attack (CVE-2014-0033)
Status: RESOLVED FIXED
Alias: CVE-2014-0033
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://tomcat.apache.org/security-6.html
Whiteboard: C2 [glsa]
Keywords:
Depends on: 519590
Blocks:
  Show dependency tree
 
Reported: 2014-07-21 00:14 UTC by GLSAMaker/CVETool Bot
Modified: 2014-12-15 00:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2014-07-21 00:14:13 UTC
CVE-2014-0033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033):
  org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33
  through 6.0.37 does not consider the disableURLRewriting setting when
  handling a session ID in a URL, which allows remote attackers to conduct
  session fixation attacks via a crafted URL.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-07-21 00:18:33 UTC
Affects 6.0.33 - 6.0.37

Current stable version = 6.0.37. 
6.0.39 currently in tree.

Maintainer(s): please let us know when the ebuild is ready for  stabilization.
Comment 2 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2014-11-02 10:23:31 UTC
Just committed tomcat-6.0.41 and tomcat-7.0.56.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 00:45:31 UTC
This issue was resolved and addressed in
 GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml
by GLSA coordinator Sean Amoss (ackle).