[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Tomcat 5.5 Vulnerabilities


I'm trying to figure the Tomcat 5.5 Security Update that was announced on the security list earlier today:

Package        : tomcat5.5
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2009-2693 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227

Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found at http://tomcat.apache.org/security-5.html.

They list CVEs as far back as 2008, which got me curious.

The latest important tomcat 5.5 vulnerability in the list is:

Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227

According to the Apache Tomcat site:

"This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010." It was fixed in the SVN branch on 30 Jun 2010 (thus prior to the public announcement).

The first CVE in the list is CVE-2008-5515, and according to the Apache Tomcat site:

"This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009." It was fixed in SVN on 10 Jun 2009.

I searched for "tomcat" in my Debian security list mail folder and the previous Tomcat 5.5 Debian security announcement was on 2008-06-09.

So.. everything points to Tomcat 5.5 being unpached in Debian for 3 years now, despite several more or less severe security vulnerabilities (several are classified as "important" on the Apache Tomcat site). Can this really be true?


Johan Karlsson

Reply to: