[Bug 341278] Re: CVE-2009-0781: XSS in tomcat6 and tomcat5.5
Launchpad Bug Tracker
341278 at bugs.launchpad.net
Mon Jun 15 15:09:36 BST 2009
This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu6.1
---------------
tomcat6 (6.0.18-0ubuntu6.1) jaunty-security; urgency=low
* SECURITY UPDATE: security bypass via specially crafted request
- debian/patches/security-CVE-2008-5515.patch: use only a single
normalise implementation in:
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
java/org/apache/catalina/servlets/WebdavServlet.java,
java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
java/org/apache/catalina/util/RequestUtil.java,
java/org/apache/naming/resources/FileDirContext.java
- CVE-2008-5515
* SECURITY UPDATE: denial of service via request with invalid headers
- debian/patches/security-CVE-2009-0033.patch: make sure we return
400 to the browser in
java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
- CVE-2009-0033
* SECURITY UPDATE: valid username enumeration via improper error checking
- debian/patches/security-CVE-2009-0580.patch: make sure we have valid
credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
- CVE-2009-0580
* SECURITY UPDATE: cross-site scripting in calendar example application
(LP: #341278)
- debian/patches/security-CVE-2009-0781.patch: properly quote value in
webapps/examples/jsp/cal/cal2.jsp
- CVE-2009-0781
* SECURITY UPDATE: information disclosure via XML parser replacement
- debian/patches/security-CVE-2009-0783.patch: create digesters and
parsers earlier and don't use xml-parser from web-app in
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
- CVE-2009-0783
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Wed, 10 Jun 2009
08:31:31 -0400
--
CVE-2009-0781: XSS in tomcat6 and tomcat5.5
https://bugs.launchpad.net/bugs/341278
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat6 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list