Red Hat Bugzilla – Bug 238192
Update tomcat5 to 5.5.23
Last modified: 2008-01-05 07:17:31 EST
The current version of tomcat5 is tomcat5-5.5.17-6jpp.2. This version of the
japackage rpm had some problems that were fixed in version 5.5.20
* Fri Feb 23 2007 Jason Corley <firstname.lastname@example.org> 0:5.5.20-6jpp
- update year in copyright text
- use -tomcat5 subpackages for j-c-collections, j-c-dbcp, and j-c-pool so
that JNDI resources work properly
one symptom of this problem is that naming-factory-dbcp.jar isn't included.
This problem should be fixed by upgrading the fedora package to bring it in line
with the latest jpackage rpm.
The problem is that upstream tomcat5 takes classes from a number of
jakarta-commons-* jars (org.apache.commons package) and sticks it under the
org.apache.tomcat package. JPP till before 5.5.20-6jpp was symlinking the
appropriate jars from jakarta-commona-* jars from the appropriate packages
These packages have since been modified to produce a -tomcat5 package that does
the package translation for tomcat5 and symlinks jars produced by these. I will
have to audit these packages to see if these can be updated to those expected by
What about the security issues with Tomcat 5.5.17 (possible directory traversal
attack if tomcat is running proxied behind another server, cf.
I can confirm the problematic behaviour on a Fedora 6 box. Is nobody worrying?
RHEL released updates yesterday, but I did not find any clue about Fedora trying
to update to 5.5.23, not a small notice.
What is the current state?
Bug #240208 has superseeded this one. The vulnerabilities are fixed with 5.5.23,
the update was pushed long time ago.
You may close this bug now, from my point of view. Thanks.
Closing this bug.