Bug 432327 (CVE-2008-0002)

Summary: CVE-2008-0002 Tomcat information disclosure vulnerability
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://marc.info/?l=bugtraq&m=120251018920265&w=4
Whiteboard:
Fixed In Version: 5.5.26-1jpp.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-03 07:37:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 432474, 432475, 432476    
Bug Blocks:    

Description Marc Schoenefeld 2008-02-11 10:06:10 UTC
CVE-2008-0002: Tomcat information disclosure vulnerability

Severity: important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 6.0.5 to 6.0.15

Description:
If an exception occurs during the processing of parameters (eg if the
client disconnects) then it is possible that the parameters submitted for
that request will be incorrectly processed as part of a following request.

Mitigation:
6.0.x users should upgrade to 6.0.16 or later.

Example:
See description.

Credit:
This issue was discovered by Chitrapandian N of AdventNet Inc.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html

Comment 3 Fedora Update System 2008-02-12 20:32:03 UTC
tomcat5-5.5.26-1jpp.2.fc8 has been submitted as an update for Fedora 8

Comment 4 Fedora Update System 2008-02-12 20:33:54 UTC
tomcat5-5.5.26-1jpp.2.fc7 has been submitted as an update for Fedora 7

Comment 5 Fedora Update System 2008-02-13 04:54:40 UTC
tomcat5-5.5.26-1jpp.2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2008-02-13 05:14:10 UTC
tomcat5-5.5.26-1jpp.2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.