Bug#465645: tomcat5.5: CVE-2007-5333 unauthorized disclosure of information
Michael Koch
konqueror at gmx.de
Thu Feb 14 07:39:40 UTC 2008
On Wed, Feb 13, 2008 at 06:21:54PM +0100, Nico Golde wrote:
> Package: tomcat5.5
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tomcat5.5.
>
> CVE-2007-5333[0]:
> | Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0
> | through 4.1.36 does not properly handle (1) double quote (")
> | characters or (2) %5C (encoded backslash) sequences in a cookie value,
> | which might cause sensitive information such as session IDs to be
> | leaked to remote attackers and enable session hijacking attacks. NOTE:
> | this issue exists because of an incomplete fix for CVE-2007-3385.
>
> If you fix this vulnerability please also include the CVE id
> in your changelog entry.
>
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
I'm preparing a new upstream release upload. This will have fixed this.
Cheers,
Michael
More information about the pkg-java-maintainers
mailing list