Tomcat 5.5 Vulnerabilities
I'm trying to figure the Tomcat 5.5 Security Update that was announced on the security announce list yesterday:
Package : tomcat5.5
Vulnerability : several
Problem type : remote
CVE ID : CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2009-2693 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227
Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found at http://tomcat.apache.org/security-5.html.
They list CVEs as far back as 2008, which got me curious.
The latest important tomcat 5.5 vulnerability in the list is:
Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227
According to the Apache Tomcat site:
"This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010." It was fixed in the SVN branch on 30 Jun 2010 (thus prior to the public announcement).
The first CVE in the list is CVE-2008-5515, and according to the Apache Tomcat site:
"This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009." It was fixed in SVN on 10 Jun 2009.
I searched for "tomcat" in my Debian security list mail folder and the previous Tomcat 5.5 Debian security announcement was on 2008-06-09.
So.. everything points to Tomcat 5.5 being unpached in Debian for 3 years now, despite several more or less severe security vulnerabilities (several are classified as "important" on the Apache Tomcat site). Can this really be true?