From the security advsory: Low: Information disclosure in authentication headers CVE-2010-1157 The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + ":" + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat. Can you update the ports or add the patch? Thanks! Fix: Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540 Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541 How-To-Repeat: N/A
niels 2010-04-24 21:14:58 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Documented vulnerabilities in moodle, tomcat55, tomcat66 and cacti PR: ports/146021 PR: ports/146022 Approved by: remko (secteam) Security: http://seclists.org/bugtraq/2010/Apr/200 Security: http://docs.moodle.org/en/Moodle_1.9.8_release_notes Security: http://www.bonsai-sec.com/en/research/vulnerability.php Revision Changes Path 1.2146 +95 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Responsible Changed From-To: freebsd-ports-bugs->ale The vuXML patch has been committed, but the two tomcat ports still need updating. Assign this the to maintainer of tomcat6 with a Cc: to the maintainer of tomcat55.
State Changed From-To: open->closed Now OBE by later commits to tomcat55 and tomcat6.
It looks like this vulnerability was covered in the latest update of tomcat55 with PR ports/148611, as the tomcat version is not affected per the CVE. http://seclists.org/bugtraq/2010/Apr/200 Affects version of tomcat 5.5.0 to 5.5.29 Tomcat version is now at 5.5.30 -jgh -- Jason Helfman