Bug 238192 - Update tomcat5 to 5.5.23
Summary: Update tomcat5 to 5.5.23
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: tomcat5
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Vivek Lakshmanan
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-27 20:12 UTC by Aaron Luchko
Modified: 2008-01-05 12:17 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-01-05 12:17:31 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Aaron Luchko 2007-04-27 20:12:11 UTC
The current version of tomcat5 is tomcat5-5.5.17-6jpp.2. This version of the
japackage rpm had some problems that were fixed in version 5.5.20

http://www.jpackage.org/cgi-bin/cvsweb.cgi/rpms/free/tomcat5/tomcat5.spec?rev=1.3.2.20;cvsroot=jpackage;only_with_tag=r5_5_23-7jpp

"
* Fri Feb 23 2007 Jason Corley <jason.corley> 0:5.5.20-6jpp
- update year in copyright text
- use -tomcat5 subpackages for j-c-collections, j-c-dbcp, and j-c-pool so
  that JNDI resources work properly
"

one symptom of this problem is that naming-factory-dbcp.jar isn't included.

This problem should be fixed by upgrading the fedora package to bring it in line
with the latest jpackage rpm.

Comment 1 Vivek Lakshmanan 2007-05-11 03:24:20 UTC
The problem is that upstream tomcat5 takes classes from a number of
jakarta-commons-* jars (org.apache.commons package) and sticks it under the
org.apache.tomcat package. JPP till before 5.5.20-6jpp was symlinking the
appropriate jars from jakarta-commona-* jars from the appropriate packages
without modification. 

These packages have since been modified to produce a -tomcat5 package that does
the package translation for tomcat5 and symlinks jars produced by these. I will
have to audit these packages to see if these can be updated to those expected by
tomcat5-5.5.23-6jpp+.

Comment 2 Christoph Trassl 2007-05-15 03:16:32 UTC
What about the security issues with Tomcat 5.5.17 (possible directory traversal
attack if tomcat is running proxied behind another server, cf.
https://rhn.redhat.com/errata/RHSA-2007-0327.html)? 

I can confirm the problematic behaviour on a Fedora 6 box. Is nobody worrying? 

RHEL released updates yesterday, but I did not find any clue about Fedora trying
to update to 5.5.23, not a small notice.

What is the current state?


Comment 3 Christoph Trassl 2007-07-18 23:13:59 UTC
Bug #240208 has superseeded this one. The vulnerabilities are fixed with 5.5.23,
the update was pushed long time ago.

You may close this bug now, from my point of view. Thanks.

Comment 4 Devrim GUNDUZ 2008-01-05 12:17:31 UTC
Closing this bug.


Note You need to log in before you can comment on or make changes to this bug.