From the security advsory:
Low: Information disclosure in authentication headers CVE-2010-1157
The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + ":" + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat.
Can you update the ports or add the patch?
Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540
Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541
niels 2010-04-24 21:14:58 UTC
FreeBSD ports repository
Documented vulnerabilities in moodle, tomcat55, tomcat66 and cacti
Approved by: remko (secteam)
Revision Changes Path
1.2146 +95 -1 ports/security/vuxml/vuln.xml
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"
The vuXML patch has been committed, but the two tomcat ports still need
updating. Assign this the to maintainer of tomcat6 with a Cc: to the
maintainer of tomcat55.
Now OBE by later commits to tomcat55 and tomcat6.
It looks like this vulnerability was covered in the latest update of
tomcat55 with PR ports/148611, as the tomcat version is not affected per the
Affects version of tomcat 5.5.0 to 5.5.29
Tomcat version is now at 5.5.30