Bug 238192 - Update tomcat5 to 5.5.23
Update tomcat5 to 5.5.23
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: tomcat5 (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Vivek Lakshmanan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-27 16:12 EDT by Aaron Luchko
Modified: 2008-01-05 07:17 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-05 07:17:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aaron Luchko 2007-04-27 16:12:11 EDT
The current version of tomcat5 is tomcat5-5.5.17-6jpp.2. This version of the
japackage rpm had some problems that were fixed in version 5.5.20

http://www.jpackage.org/cgi-bin/cvsweb.cgi/rpms/free/tomcat5/tomcat5.spec?rev=1.3.2.20;cvsroot=jpackage;only_with_tag=r5_5_23-7jpp

"
* Fri Feb 23 2007 Jason Corley <jason.corley@gmail.com> 0:5.5.20-6jpp
- update year in copyright text
- use -tomcat5 subpackages for j-c-collections, j-c-dbcp, and j-c-pool so
  that JNDI resources work properly
"

one symptom of this problem is that naming-factory-dbcp.jar isn't included.

This problem should be fixed by upgrading the fedora package to bring it in line
with the latest jpackage rpm.
Comment 1 Vivek Lakshmanan 2007-05-10 23:24:20 EDT
The problem is that upstream tomcat5 takes classes from a number of
jakarta-commons-* jars (org.apache.commons package) and sticks it under the
org.apache.tomcat package. JPP till before 5.5.20-6jpp was symlinking the
appropriate jars from jakarta-commona-* jars from the appropriate packages
without modification. 

These packages have since been modified to produce a -tomcat5 package that does
the package translation for tomcat5 and symlinks jars produced by these. I will
have to audit these packages to see if these can be updated to those expected by
tomcat5-5.5.23-6jpp+.
Comment 2 Christoph Trassl 2007-05-14 23:16:32 EDT
What about the security issues with Tomcat 5.5.17 (possible directory traversal
attack if tomcat is running proxied behind another server, cf.
https://rhn.redhat.com/errata/RHSA-2007-0327.html)? 

I can confirm the problematic behaviour on a Fedora 6 box. Is nobody worrying? 

RHEL released updates yesterday, but I did not find any clue about Fedora trying
to update to 5.5.23, not a small notice.

What is the current state?
Comment 3 Christoph Trassl 2007-07-18 19:13:59 EDT
Bug #240208 has superseeded this one. The vulnerabilities are fixed with 5.5.23,
the update was pushed long time ago.

You may close this bug now, from my point of view. Thanks.
Comment 4 Devrim GUNDUZ 2008-01-05 07:17:31 EST
Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.