Bug 238192

Summary: Update tomcat5 to 5.5.23
Product: [Fedora] Fedora Reporter: Aaron Luchko <aaron>
Component: tomcat5Assignee: Vivek Lakshmanan <viveklak>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: christoph
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-05 12:17:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aaron Luchko 2007-04-27 20:12:11 UTC 
The current version of tomcat5 is tomcat5-5.5.17-6jpp.2. This version of the
japackage rpm had some problems that were fixed in version 5.5.20

http://www.jpackage.org/cgi-bin/cvsweb.cgi/rpms/free/tomcat5/tomcat5.spec?rev=1.3.2.20;cvsroot=jpackage;only_with_tag=r5_5_23-7jpp

"
* Fri Feb 23 2007 Jason Corley <jason.corley> 0:5.5.20-6jpp
- update year in copyright text
- use -tomcat5 subpackages for j-c-collections, j-c-dbcp, and j-c-pool so
  that JNDI resources work properly
"

one symptom of this problem is that naming-factory-dbcp.jar isn't included.

This problem should be fixed by upgrading the fedora package to bring it in line
with the latest jpackage rpm.
Comment 1 Vivek Lakshmanan 2007-05-11 03:24:20 UTC 
The problem is that upstream tomcat5 takes classes from a number of
jakarta-commons-* jars (org.apache.commons package) and sticks it under the
org.apache.tomcat package. JPP till before 5.5.20-6jpp was symlinking the
appropriate jars from jakarta-commona-* jars from the appropriate packages
without modification. 

These packages have since been modified to produce a -tomcat5 package that does
the package translation for tomcat5 and symlinks jars produced by these. I will
have to audit these packages to see if these can be updated to those expected by
tomcat5-5.5.23-6jpp+.
Comment 2 Christoph Trassl 2007-05-15 03:16:32 UTC 
What about the security issues with Tomcat 5.5.17 (possible directory traversal
attack if tomcat is running proxied behind another server, cf.
https://rhn.redhat.com/errata/RHSA-2007-0327.html)? 

I can confirm the problematic behaviour on a Fedora 6 box. Is nobody worrying? 

RHEL released updates yesterday, but I did not find any clue about Fedora trying
to update to 5.5.23, not a small notice.

What is the current state?
Comment 3 Christoph Trassl 2007-07-18 23:13:59 UTC 
Bug #240208 has superseeded this one. The vulnerabilities are fixed with 5.5.23,
the update was pushed long time ago.

You may close this bug now, from my point of view. Thanks.
Comment 4 Devrim GUNDUZ 2008-01-05 12:17:31 UTC 
Closing this bug.