Bug 178179

Summary: CVE-2006-0254 tomcat examples XSS
Product: [Fedora] Fedora Reporter: Mark J. Cox <mjc>
Component: tomcatAssignee: Rafael H. Schloming <rafaels>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: patrickm, tross
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20050117,source=cve,public=20050115,impact=moderate
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-06 16:27:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2006-01-18 10:50:05 UTC 
+++ This bug was initially created as a clone of Bug #178175 +++

A new cross-site scripting flaw has been reported in the tomcat jsp examples as
shipped in tomcat5-webapps in Red Hat Application Server.  See

http://issues.apache.org/jira/browse/GERONIMO-1474

This is fixed in upstream svn.

Marking this as moderate severity as users should not be putting examples into
production environments.  I've held off marking it low as the examples ought to
show good practices and our users may copy the bad behaviour.

Note also these issues
http://issues.apache.org/bugzilla/show_bug.cgi?id=32953

Note: We've not looked which of these issues actually affect the tomcat5-webapps
package.
Comment 1 Mark J. Cox 2006-01-31 08:15:22 UTC 
ping!  if fixed in rawhide please close this bug, otherwise please try to fix
this before FC5Test3 (Feb 6)
Comment 2 Mark J. Cox 2006-02-06 09:21:18 UTC 
ping!  if fixed in rawhide please close this bug, otherwise please try to fix
this before FC5Test3 (Feb 13)