The current version of tomcat5 is tomcat5-5.5.17-6jpp.2. This version of the japackage rpm had some problems that were fixed in version 5.5.20 http://www.jpackage.org/cgi-bin/cvsweb.cgi/rpms/free/tomcat5/tomcat5.spec?rev=1.3.2.20;cvsroot=jpackage;only_with_tag=r5_5_23-7jpp " * Fri Feb 23 2007 Jason Corley <jason.corley> 0:5.5.20-6jpp - update year in copyright text - use -tomcat5 subpackages for j-c-collections, j-c-dbcp, and j-c-pool so that JNDI resources work properly " one symptom of this problem is that naming-factory-dbcp.jar isn't included. This problem should be fixed by upgrading the fedora package to bring it in line with the latest jpackage rpm.
The problem is that upstream tomcat5 takes classes from a number of jakarta-commons-* jars (org.apache.commons package) and sticks it under the org.apache.tomcat package. JPP till before 5.5.20-6jpp was symlinking the appropriate jars from jakarta-commona-* jars from the appropriate packages without modification. These packages have since been modified to produce a -tomcat5 package that does the package translation for tomcat5 and symlinks jars produced by these. I will have to audit these packages to see if these can be updated to those expected by tomcat5-5.5.23-6jpp+.
What about the security issues with Tomcat 5.5.17 (possible directory traversal attack if tomcat is running proxied behind another server, cf. https://rhn.redhat.com/errata/RHSA-2007-0327.html)? I can confirm the problematic behaviour on a Fedora 6 box. Is nobody worrying? RHEL released updates yesterday, but I did not find any clue about Fedora trying to update to 5.5.23, not a small notice. What is the current state?
Bug #240208 has superseeded this one. The vulnerabilities are fixed with 5.5.23, the update was pushed long time ago. You may close this bug now, from my point of view. Thanks.
Closing this bug.