Bug #341278 “CVE-2009-0781: XSS in tomcat6 and tomcat5.5” : Hardy (8.04) : Bugs : tomcat6 package : Ubuntu

Jamie Strandboge (jdstrand) on 2009-03-11

Changed in tomcat6:
status:	New → Confirmed
status:	New → Confirmed
status:	New → Invalid
status:	New → Invalid
Changed in tomcat5.5:
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed

Kees Cook (kees) on 2009-04-16

Changed in tomcat5.5 (Ubuntu Gutsy):
importance:	Undecided → Low
Changed in tomcat5.5 (Ubuntu Hardy):
importance:	Undecided → Low
Changed in tomcat5.5 (Ubuntu Intrepid):
importance:	Undecided → Low
Changed in tomcat5.5 (Ubuntu Jaunty):
importance:	Undecided → Low
Changed in tomcat6 (Ubuntu Intrepid):
importance:	Undecided → Low
Changed in tomcat6 (Ubuntu Jaunty):
importance:	Undecided → Low

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

#1

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in tomcat5.5 (Ubuntu Gutsy):
status:	Confirmed → Won't Fix

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-06-15:

#2

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu3.2

---------------
tomcat6 (6.0.18-0ubuntu3.2) intrepid-security; urgency=low

  * SECURITY UPDATE: security bypass via specially crafted request
    - debian/patches/security-CVE-2008-5515.patch: use only a single
      normalise implementation in:
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
      java/org/apache/catalina/util/RequestUtil.java,
      java/org/apache/naming/resources/FileDirContext.java
    - CVE-2008-5515
  * SECURITY UPDATE: denial of service via request with invalid headers
    - debian/patches/security-CVE-2009-0033.patch: make sure we return
      400 to the browser in
      java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
    - CVE-2009-0033
  * SECURITY UPDATE: valid username enumeration via improper error checking
    - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
      credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
    - CVE-2009-0580
  * SECURITY UPDATE: cross-site scripting in calendar example application
    (LP: #341278)
    - debian/patches/security-CVE-2009-0781.patch: properly quote value in
      webapps/examples/jsp/cal/cal2.jsp
    - CVE-2009-0781
  * SECURITY UPDATE: information disclosure via XML parser replacement
    - debian/patches/security-CVE-2009-0783.patch: create digesters and
      parsers earlier and don't use xml-parser from web-app in
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
    - CVE-2009-0783

-- Marc Deslauriers <email address hidden> Wed, 10 Jun 2009 09:46:33 -0400

Changed in tomcat6 (Ubuntu Intrepid):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-06-15:

#3

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu6.1

---------------
tomcat6 (6.0.18-0ubuntu6.1) jaunty-security; urgency=low

  * SECURITY UPDATE: security bypass via specially crafted request
    - debian/patches/security-CVE-2008-5515.patch: use only a single
      normalise implementation in:
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
      java/org/apache/catalina/util/RequestUtil.java,
      java/org/apache/naming/resources/FileDirContext.java
    - CVE-2008-5515
  * SECURITY UPDATE: denial of service via request with invalid headers
    - debian/patches/security-CVE-2009-0033.patch: make sure we return
      400 to the browser in
      java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
    - CVE-2009-0033
  * SECURITY UPDATE: valid username enumeration via improper error checking
    - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
      credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
    - CVE-2009-0580
  * SECURITY UPDATE: cross-site scripting in calendar example application
    (LP: #341278)
    - debian/patches/security-CVE-2009-0781.patch: properly quote value in
      webapps/examples/jsp/cal/cal2.jsp
    - CVE-2009-0781
  * SECURITY UPDATE: information disclosure via XML parser replacement
    - debian/patches/security-CVE-2009-0783.patch: create digesters and
      parsers earlier and don't use xml-parser from web-app in
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
    - CVE-2009-0783

-- Marc Deslauriers <email address hidden> Wed, 10 Jun 2009 08:31:31 -0400

Changed in tomcat6 (Ubuntu Jaunty):
status:	Confirmed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2009-07-21

Changed in tomcat6 (Debian):
status:	Unknown → Fix Released

Marc Deslauriers (mdeslaur) on 2009-09-22

Changed in tomcat6 (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Alex Valavanis (valavanisalex) wrote on 2010-05-08:

#4

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug is still marked as confirmed in later versions of Ubuntu.

Changed in tomcat5.5 (Ubuntu Intrepid):
status:	Confirmed → Invalid

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-11-18:

#5

Jaunty is EOL.

Changed in tomcat5.5 (Ubuntu Jaunty):
status:	Confirmed → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-11-18:

#6

Marking parent task as "Won't Fix" since it tracks Jaunty, but leaving Hardy. On Hardy, this package is in universe and is community supported. If someone is able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

Changed in tomcat5.5 (Ubuntu):
status:	Confirmed → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-12-13:

#7

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in tomcat5.5 (Ubuntu Hardy):
status:	Confirmed → Won't Fix

Ubuntu
tomcat6 package

CVE-2009-0781: XSS in tomcat6 and tomcat5.5

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
tomcat5.5 (Ubuntu)	Won't Fix	Low	Unassigned
Gutsy	Won't Fix	Low	Unassigned
Hardy	Won't Fix	Low	Unassigned
Intrepid	Invalid	Low	Unassigned
Jaunty	Won't Fix	Low	Unassigned
tomcat6 (Debian)	Fix Released	Unknown	debbugs #532362
tomcat6 (Ubuntu)	Fix Released	Low	Unassigned
Gutsy	Invalid	Undecided	Unassigned
Hardy	Invalid	Undecided	Unassigned
Intrepid	Fix Released	Low	Unassigned
Jaunty	Fix Released	Low	Unassigned

Ubuntutomcat6 package

CVE-2009-0781: XSS in tomcat6 and tomcat5.5

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
tomcat6 package