Bug#532362: CVE-2008-5515
Giuseppe Iuculano
giuseppe at iuculano.it
Sat Jun 13 18:45:55 UTC 2009
Hi,
also CVE-2008-5515 is now disclosed:
Information Disclosure CVE-2008-5515
When using a RequestDispatcher obtained from the Request, the target path was
normalised before the query string was removed. A request that included a
specially crafted request parameter could be used to access content that would
otherwise be protected by a security constraint or by locating it in under the
WEB-INF directory.
tomcat6: This was fixed in revision 734734[1].
tomcat5: This was fixed in revision 782757[2] and revision 783291[3].
[1] http://svn.apache.org/viewvc?view=rev&revision=734734
[2] http://svn.apache.org/viewvc?view=rev&revision=782757
[3] http://svn.apache.org/viewvc?view=rev&revision=783291
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20090613/fbc39792/attachment-0004.pgp>
More information about the pkg-java-maintainers
mailing list