Port the improved cookie parsing of tomcat6.0.x to tomcat5, see corresponding patch from tomcat-dev here: http://marc.info/?l=tomcat-dev&m=119965464418142&w=2
New info from http://tomcat.apache.org/security-6.html low: Session hi-jacking CVE-2007-5333 The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value.
tomcat5-5.5.26-1jpp.2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
tomcat5-5.5.26-1jpp.2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
A patch for the patch: http://svn.apache.org/viewvc?view=rev&revision=627743
There are still regressions caused by the current upstream patch, https://issues.apache.org/bugzilla/show_bug.cgi?id=44679
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Due to CVE-2007-5333 being low severity, and the upstream fix previously causing regressions, an update for this issue was deferred until now.
This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 4 JBEWS 1.0.0 for RHEL 5 Via RHSA-2009:1454 https://rhn.redhat.com/errata/RHSA-2009-1454.html
This issue has been addressed in following products: RHAPS Version 2 for RHEL 4 Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
This issue has been addressed in following products: Red Hat Developer Suite V.3 Via RHSA-2009:1563 https://rhn.redhat.com/errata/RHSA-2009-1563.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.2 Red Hat Network Satellite Server v 5.3 Via RHSA-2009:1616 https://rhn.redhat.com/errata/RHSA-2009-1616.html
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html