Bug 429835

Summary: CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
Product: Red Hat Satellite 5 Reporter: Marc Schoenefeld <mschoene>
Component: OtherAssignee: Miroslav Suchý <msuchy>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: low Docs Contact:
Priority: low    
Version: 500CC: jclere, pcheung
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sat502 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-20 21:13:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 429320, 429821, 438231    

Description Marc Schoenefeld 2008-01-23 11:12:04 UTC 
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.

For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ

[bug automatically created by: add-tracking-bugs]
Comment 2 Jean-frederic Clere 2008-03-18 08:11:11 UTC 
The fix is something like http://svn.apache.org/viewvc?view=rev&revision=500626
Comment 3 Miroslav Suchý 2008-04-03 12:43:36 UTC 
> [16:02] <fnasser_home> msuchy, pong
> [16:03] <msuchy> fnasser_inmtg: can you apply this patch
https://bugzilla.redhat.com/show_bug.cgi?id=429835#c2 to tomcat5 and rebuild it?
> [16:04] <msuchy> fnasser_inmtg: I need to import to RHN Satellite
> [16:06] <fnasser_inmtg> msuchy, Sure, but please send it to me by e-mail, with
a release going on I need something better than irc to track tasks.  Which
release of tomcat? 5.0.30 right?  Is it security?
> [16:06] <fnasser_inmtg> msuchy, If it is security related please cc Marc (do
you know Marc?  If not I reply adding cc's for you)
> [16:06] <msuchy> fnasser_inmtg: we have tomcat5-5.0.27-2jpp_1rh
> [16:06] <msuchy> fnasser_inmtg: so 5.0.30 should be ok [16:07] <fnasser_inmtg>
msuchy, I want to keep Jean-Frederic ( jclere here) and Remy on the loop as well
> [16:07] <msuchy> fnasser_inmtg: it is reported by Marc
> [16:07] <fnasser_inmtg> msuchy, Yes, we did upgrade from 27 to 30 in our
legacy JBoss AS releases
> [16:07] <msuchy> fnasser_inmtg: I sent you email with this last week :) I will
send you it again [16:07] <fnasser_inmtg> msuchy, Better yet.  But cc him, so he
knows we are applying that
> [16:08] <fnasser_inmtg> msuchy, I will build and release this tomcat as part
of the next month ASPATCH CP releases as well
> [16:08] <msuchy> fnasser_inmtg: I need it for release of Satellite, which is
in 14th April
> [16:09] <fnasser_inmtg> msuchy, The ASPATCH CPs are on April 15th, so all is
fine.  I plan to do it asap though, as I want to get it out of the way
>
>
Comment 6 wes hayutin 2008-04-21 16:36:55 UTC 
[root@rlx-3-18 ~]# rpm -q tomcat5
tomcat5-5.0.30-0jpp_10rh
[root@rlx-3-18 ~]# hostname
rlx-3-18.rhndev.redhat.com
[root@rlx-3-18 ~]# date
Mon Apr 21 12:34:16 EDT 2008

verified build 2
Comment 7 Preethi Thomas 2008-05-13 14:02:42 UTC 
release pending
Comment 8 wes hayutin 2008-05-20 21:13:08 UTC 
5.0.2 Satellite is now GA, bugs Closed for Current Release.