Bug 427766 - (CVE-2007-5333) CVE-2007-5333 Improve cookie parsing for tomcat5
CVE-2007-5333 Improve cookie parsing for tomcat5
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=apache,reported=200...
:
Depends On: 427779 427780 428255 428256 428257 428258 428259 428261 428262 428263 428264 428265 428268 428269 528913 528914 534162 582770
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-07 08:55 EST by Marc Schoenefeld
Modified: 2012-07-09 03:02 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-09 03:02:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2008-01-07 08:55:44 EST
Port the improved cookie parsing of tomcat6.0.x to tomcat5, 
see corresponding patch from tomcat-dev here: 

http://marc.info/?l=tomcat-dev&m=119965464418142&w=2
Comment 7 Marc Schoenefeld 2008-02-11 04:08:01 EST
New info from http://tomcat.apache.org/security-6.html

low: Session hi-jacking   CVE-2007-5333

The previous fix for CVE-2007-3385 was incomplete. It did not consider the use
of quotes or %5C within a cookie value.
Comment 8 Fedora Update System 2008-02-12 23:54:21 EST
tomcat5-5.5.26-1jpp.2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-02-13 00:13:47 EST
tomcat5-5.5.26-1jpp.2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Marc Schoenefeld 2008-02-20 05:05:59 EST
A patch for the patch: 

http://svn.apache.org/viewvc?view=rev&revision=627743
Comment 11 Marc Schoenefeld 2008-04-25 15:51:23 EDT
There are still regressions caused by the current upstream patch, 
https://issues.apache.org/bugzilla/show_bug.cgi?id=44679 
Comment 13 errata-xmlrpc 2009-07-21 16:56:33 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Comment 14 Murray McAllister 2009-07-21 18:03:32 EDT
Due to CVE-2007-5333 being low severity, and the upstream fix previously
causing regressions, an update for this issue was deferred until now.
Comment 16 errata-xmlrpc 2009-09-21 11:52:00 EDT
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4
  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1454 https://rhn.redhat.com/errata/RHSA-2009-1454.html
Comment 19 errata-xmlrpc 2009-11-09 10:26:36 EST
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
Comment 20 errata-xmlrpc 2009-11-09 10:37:45 EST
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2009:1563 https://rhn.redhat.com/errata/RHSA-2009-1563.html
Comment 22 errata-xmlrpc 2009-11-30 10:16:27 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.2
  Red Hat Network Satellite Server v 5.3

Via RHSA-2009:1616 https://rhn.redhat.com/errata/RHSA-2009-1616.html
Comment 23 errata-xmlrpc 2010-08-04 17:31:42 EDT
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html

Note You need to log in before you can comment on or make changes to this bug.