Red Hat Bugzilla – Bug 429835
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
Last modified: 2008-05-20 17:13:08 EDT
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
The fix is something like http://svn.apache.org/viewvc?view=rev&revision=500626
> [16:02] <fnasser_home> msuchy, pong
> [16:03] <msuchy> fnasser_inmtg: can you apply this patch
https://bugzilla.redhat.com/show_bug.cgi?id=429835#c2 to tomcat5 and rebuild it?
> [16:04] <msuchy> fnasser_inmtg: I need to import to RHN Satellite
> [16:06] <fnasser_inmtg> msuchy, Sure, but please send it to me by e-mail, with
a release going on I need something better than irc to track tasks. Which
release of tomcat? 5.0.30 right? Is it security?
> [16:06] <fnasser_inmtg> msuchy, If it is security related please cc Marc (do
you know Marc? If not I reply adding cc's for you)
> [16:06] <msuchy> fnasser_inmtg: we have tomcat5-5.0.27-2jpp_1rh
> [16:06] <msuchy> fnasser_inmtg: so 5.0.30 should be ok [16:07] <fnasser_inmtg>
msuchy, I want to keep Jean-Frederic ( jclere here) and Remy on the loop as well
> [16:07] <msuchy> fnasser_inmtg: it is reported by Marc
> [16:07] <fnasser_inmtg> msuchy, Yes, we did upgrade from 27 to 30 in our
legacy JBoss AS releases
> [16:07] <msuchy> fnasser_inmtg: I sent you email with this last week :) I will
send you it again [16:07] <fnasser_inmtg> msuchy, Better yet. But cc him, so he
knows we are applying that
> [16:08] <fnasser_inmtg> msuchy, I will build and release this tomcat as part
of the next month ASPATCH CP releases as well
> [16:08] <msuchy> fnasser_inmtg: I need it for release of Satellite, which is
in 14th April
> [16:09] <fnasser_inmtg> msuchy, The ASPATCH CPs are on April 15th, so all is
fine. I plan to do it asap though, as I want to get it out of the way
[root@rlx-3-18 ~]# rpm -q tomcat5
[root@rlx-3-18 ~]# hostname
[root@rlx-3-18 ~]# date
Mon Apr 21 12:34:16 EDT 2008
verified build 2
5.0.2 Satellite is now GA, bugs Closed for Current Release.