Hi, I'm trying to figure the Tomcat 5.5 Security Update that was announced on the security list earlier today:
----------------------------- Package : tomcat5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2009-2693 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227 Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found at http://tomcat.apache.org/security-5.html. ----------------------------- They list CVEs as far back as 2008, which got me curious. The latest important tomcat 5.5 vulnerability in the list is: Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227 According to the Apache Tomcat site: "This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010." It was fixed in the SVN branch on 30 Jun 2010 (thus prior to the public announcement). The first CVE in the list is CVE-2008-5515, and according to the Apache Tomcat site: "This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009." It was fixed in SVN on 10 Jun 2009. I searched for "tomcat" in my Debian security list mail folder and the previous Tomcat 5.5 Debian security announcement was on 2008-06-09. So.. everything points to Tomcat 5.5 being unpached in Debian for 3 years now, despite several more or less severe security vulnerabilities (several are classified as "important" on the Apache Tomcat site). Can this really be true? Regards, Johan Karlsson -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7e30d8226ba9a6409900813063af50af72c...@win03.ad.deltamanagement.se
