Bug 146022

Summary: [security] www/tomcat6, www/tomcat55 information disclosure
Product: Ports & Packages Reporter: niels <niels>
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description niels freebsd_committer freebsd_triage 2010-04-24 21:50:03 UTC 
From the security advsory:

Low: Information disclosure in authentication headers   CVE-2010-1157

The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + ":" + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat. 


Can you update the ports or add the patch? 
Thanks!

Fix: 

Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540
Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541
How-To-Repeat: N/A
Comment 1 dfilter service freebsd_committer freebsd_triage 2010-04-24 22:15:07 UTC 
niels       2010-04-24 21:14:58 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Documented vulnerabilities in moodle, tomcat55, tomcat66 and cacti
  
  PR:             ports/146021
  PR:             ports/146022
  Approved by:    remko (secteam)
  Security:       http://seclists.org/bugtraq/2010/Apr/200
  Security:       http://docs.moodle.org/en/Moodle_1.9.8_release_notes
  Security:       http://www.bonsai-sec.com/en/research/vulnerability.php
  
  Revision  Changes    Path
  1.2146    +95 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2010-06-03 02:26:56 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->ale

The vuXML patch has been committed, but the two tomcat ports still need 
updating.  Assign this the to maintainer of tomcat6 with a Cc: to the 
maintainer of tomcat55.
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2010-08-20 22:33:33 UTC 
State Changed
From-To: open->closed

Now OBE by later commits to tomcat55 and tomcat6.
Comment 4 Jason 2010-08-20 22:54:57 UTC 
It looks like this vulnerability was covered in the latest update of
tomcat55 with PR ports/148611, as the tomcat version is not affected per the
CVE.

http://seclists.org/bugtraq/2010/Apr/200

Affects version of tomcat 5.5.0 to 5.5.29

Tomcat version is now at 5.5.30

-jgh

-- 
Jason Helfman