Bug#496309: CVE-2008-2938: arbitrary file access
Steffen Joeris
steffen.joeris at skolelinux.de
Sun Aug 24 11:22:23 UTC 2008
Package: tomcat5.5
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tomcat5.5.
CVE-2008-2938[0]:
| Directory traversal vulnerability in Apache Tomcat 4.1.0 through
| 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when
| allowLinking and UTF-8 are enabled, allows remote attackers to read
| arbitrary files via encoded directory traversal sequences in the URI,
| a different vulnerability than CVE-2008-2370. NOTE: versions earlier
| than 6.0.18 were reported affected, but the vendor advisory lists
| 6.0.16 as the last affected version.
The upstream advisory can be found here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
http://security-tracker.debian.net/tracker/CVE-2008-2938
[1] http://tomcat.apache.org/security-5.html
More information about the pkg-java-maintainers
mailing list