Digging in the Apache Tomcat SVN and commit logs revealed the following 5.5.x fixes: CVE-2008-1232: http://svn.apache.org/viewvc?rev=680947&view=rev CVE-2008-2370: http://svn.apache.org/viewvc?view=rev&revision=680949 CVE-2008-2938: http://svn.apache.org/viewvc?view=rev&revision=681065 Hopes this helps. -- Thierry Carrez Ubuntu server team