Bug 427766 (CVE-2007-5333) - CVE-2007-5333 Improve cookie parsing for tomcat5
Summary: CVE-2007-5333 Improve cookie parsing for tomcat5
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5333
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,source=apache,reported=200...
Depends On: 427779 427780 428255 428256 428257 428258 428259 428261 428262 428263 428264 428265 428268 428269 528913 528914 534162 582770
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-07 13:55 UTC by Marc Schoenefeld
Modified: 2019-06-08 12:26 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-09 07:02:43 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1164 normal SHIPPED_LIVE Important: tomcat security update 2009-07-21 20:56:29 UTC
Red Hat Product Errata RHSA-2009:1454 normal SHIPPED_LIVE Important: tomcat5 security update 2009-09-23 15:15:12 UTC
Red Hat Product Errata RHSA-2009:1562 normal SHIPPED_LIVE Important: tomcat security update 2009-11-09 15:26:22 UTC
Red Hat Product Errata RHSA-2009:1563 normal SHIPPED_LIVE Important: tomcat security update 2009-11-09 15:37:31 UTC
Red Hat Product Errata RHSA-2009:1616 normal SHIPPED_LIVE Low: tomcat security update for Red Hat Network Satellite Server 2009-11-30 15:16:12 UTC
Red Hat Product Errata RHSA-2010:0602 normal SHIPPED_LIVE Moderate: Red Hat Certificate System 7.3 security update 2010-08-05 14:04:51 UTC

Description Marc Schoenefeld 2008-01-07 13:55:44 UTC
Port the improved cookie parsing of tomcat6.0.x to tomcat5, 
see corresponding patch from tomcat-dev here: 

http://marc.info/?l=tomcat-dev&m=119965464418142&w=2

Comment 7 Marc Schoenefeld 2008-02-11 09:08:01 UTC
New info from http://tomcat.apache.org/security-6.html

low: Session hi-jacking   CVE-2007-5333

The previous fix for CVE-2007-3385 was incomplete. It did not consider the use
of quotes or %5C within a cookie value.

Comment 8 Fedora Update System 2008-02-13 04:54:21 UTC
tomcat5-5.5.26-1jpp.2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-02-13 05:13:47 UTC
tomcat5-5.5.26-1jpp.2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Marc Schoenefeld 2008-02-20 10:05:59 UTC
A patch for the patch: 

http://svn.apache.org/viewvc?view=rev&revision=627743

Comment 11 Marc Schoenefeld 2008-04-25 19:51:23 UTC
There are still regressions caused by the current upstream patch, 
https://issues.apache.org/bugzilla/show_bug.cgi?id=44679 


Comment 13 errata-xmlrpc 2009-07-21 20:56:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html

Comment 14 Murray McAllister 2009-07-21 22:03:32 UTC
Due to CVE-2007-5333 being low severity, and the upstream fix previously
causing regressions, an update for this issue was deferred until now.

Comment 16 errata-xmlrpc 2009-09-21 15:52:00 UTC
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4
  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1454 https://rhn.redhat.com/errata/RHSA-2009-1454.html

Comment 19 errata-xmlrpc 2009-11-09 15:26:36 UTC
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html

Comment 20 errata-xmlrpc 2009-11-09 15:37:45 UTC
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2009:1563 https://rhn.redhat.com/errata/RHSA-2009-1563.html

Comment 22 errata-xmlrpc 2009-11-30 15:16:27 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.2
  Red Hat Network Satellite Server v 5.3

Via RHSA-2009:1616 https://rhn.redhat.com/errata/RHSA-2009-1616.html

Comment 23 errata-xmlrpc 2010-08-04 21:31:42 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html


Note You need to log in before you can comment on or make changes to this bug.