CERT reported to security@tomcat a flaw handling cookies containing a ' character. Tomcat currently treats it as a delimeter. This may well not be a security issue in itself. TC 6.0: http://svn.apache.org/viewvc?view=rev&rev=553218 TC 5.5: Affected. TC 5.0: Affected. (Use $Version=1). TC 4.1: Like 5.0 additional patch also needed, attached Issue not yet public
Created attachment 159049 [details] additional patch (also needs svn commit)
removing embargo, now public at http://tomcat.apache.org/security-4.html
tomcat5-5.5.25-1jpp.1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html