[Bug 341278] Re: CVE-2009-0781: XSS in tomcat6 and tomcat5.5

Mon, 15 Jun 2009 07:15:30 -0700 

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu3.2

---------------
tomcat6 (6.0.18-0ubuntu3.2) intrepid-security; urgency=low

  * SECURITY UPDATE: security bypass via specially crafted request
    - debian/patches/security-CVE-2008-5515.patch: use only a single
      normalise implementation in:
      java/org/apache/catalina/connector/Request.java,
      
java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      
java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
      java/org/apache/catalina/util/RequestUtil.java,
      java/org/apache/naming/resources/FileDirContext.java
    - CVE-2008-5515
  * SECURITY UPDATE: denial of service via request with invalid headers
    - debian/patches/security-CVE-2009-0033.patch: make sure we return
      400 to the browser in
      
java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
    - CVE-2009-0033
  * SECURITY UPDATE: valid username enumeration via improper error checking
    - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
      credentials in 
java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
    - CVE-2009-0580
  * SECURITY UPDATE: cross-site scripting in calendar example application
    (LP: #341278)
    - debian/patches/security-CVE-2009-0781.patch: properly quote value in
      webapps/examples/jsp/cal/cal2.jsp
    - CVE-2009-0781
  * SECURITY UPDATE: information disclosure via XML parser replacement
    - debian/patches/security-CVE-2009-0783.patch: create digesters and
      parsers earlier and don't use xml-parser from web-app in
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
    - CVE-2009-0783

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>   Wed, 10 Jun 2009
09:46:33 -0400

** Changed in: tomcat6 (Ubuntu Intrepid)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-5515

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0033

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0580

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0783

** Changed in: tomcat6 (Ubuntu Jaunty)
       Status: Confirmed => Fix Released

-- 
CVE-2009-0781: XSS in tomcat6 and tomcat5.5
https://bugs.launchpad.net/bugs/341278
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat6 in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to