Old Tomcat 4.1 Cross-Site Scripting Vulnerability
Arnaud Vandyck
avdyk@debian.org
Thu Nov 18 15:12:01 2004
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thu, 18 Nov 2004 15:32:26 +0100,=20
Paul Dwerryhouse <paul@dwerryhouse.com.au> wrote:=20
> Hi,
>
> I'm doing some follow-up work for the debian secure-testing project,
> and I'm wondering if someone here might know about the following=20
> cross-site scripting vulnerability which was claimed to be in Tomcat 4.1.
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1567
>
> http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0482.html
I can't reproduce it on my system.
> I can't see any references to it in the changelog, and frankly, I don't
> know enough about Tomcat to be able to work out for myself if the Debian
> package is vulnerable or not.
>
> Can anyone tell me if this was ever addressed in the tomcat4 package,
> or if it turned out to be a non-issue?
Does the CAN-2002... mean year 2002? Last Tomcat upstream in Debian is
=2D From 8 Mar 2004 so I supposed it should be resolved upstream for
sometime. Does anyone as another POV?
Cheers,
=2D --=20
.''`.=20
: :' :rnaud
`. `'=20=20
`-=20=20=20=20
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBnR3S4vzFZu62tMIRAtd8AJ9Lwge95UWMrUxm4eIh80hMhWDm0QCeL5em
KdCaX85dFjvVg2deg7OjbdE=3D
=3DASBZ
=2D----END PGP SIGNATURE-----