Debian: DSA-1468-1 Urgent: Remote Vulnerabilities in Tomcat 5.5
debian
January 20, 2008
Several remote vulnerabilities have been discovered in the Tomcat
servlet and JSP engine
Summary
Olaf Kock discovered that HTTPS encryption was insufficiently
enforced for single-sign-on cookies, which could result in
information disclosure.
CVE-2007-2450
It was discovered that the Manager and Host Manager web applications
performed insufficient input sanitising, which could lead to cross- site scripting.
This update also adapts the tomcat5.5-webapps package to the tightened
JULI permissions introduced in the previous tomcat5.5 DSA. However, it
should be noted, that the tomcat5.5-webapps is for demonstration and
documentation purposes only and should not be used for production
systems.
For the unstable distribution (sid), these problems will be fixed soon.
For the stable distribution (etch), these problems have been fixed in
version 5.5.20-2etch2.
The old stable distribution (sarge) doesn't contain tomcat5.5.
We recommend that you upgrade your tomcat5.5 packages.
Upgrade instructions
- --------------------wget url
will fetch the file for ...
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!