Bug 429835 - CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
Summary: CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_...
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Other
Version: 500
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Miroslav Suchý
QA Contact: wes hayutin
Depends On:
Blocks: 429320 CVE-2008-0128 438231
TreeView+ depends on / blocked
Reported: 2008-01-23 11:12 UTC by Marc Schoenefeld
Modified: 2008-05-20 21:13 UTC (History)
2 users (show)

Fixed In Version: sat502
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-05-20 21:13:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Marc Schoenefeld 2008-01-23 11:12:04 UTC
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.

For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ

[bug automatically created by: add-tracking-bugs]

Comment 2 Jean-frederic Clere 2008-03-18 08:11:11 UTC
The fix is something like http://svn.apache.org/viewvc?view=rev&revision=500626

Comment 3 Miroslav Suchý 2008-04-03 12:43:36 UTC
> [16:02] <fnasser_home> msuchy, pong
> [16:03] <msuchy> fnasser_inmtg: can you apply this patch
https://bugzilla.redhat.com/show_bug.cgi?id=429835#c2 to tomcat5 and rebuild it?
> [16:04] <msuchy> fnasser_inmtg: I need to import to RHN Satellite
> [16:06] <fnasser_inmtg> msuchy, Sure, but please send it to me by e-mail, with
a release going on I need something better than irc to track tasks.  Which
release of tomcat? 5.0.30 right?  Is it security?
> [16:06] <fnasser_inmtg> msuchy, If it is security related please cc Marc (do
you know Marc?  If not I reply adding cc's for you)
> [16:06] <msuchy> fnasser_inmtg: we have tomcat5-5.0.27-2jpp_1rh
> [16:06] <msuchy> fnasser_inmtg: so 5.0.30 should be ok [16:07] <fnasser_inmtg>
msuchy, I want to keep Jean-Frederic ( jclere here) and Remy on the loop as well
> [16:07] <msuchy> fnasser_inmtg: it is reported by Marc
> [16:07] <fnasser_inmtg> msuchy, Yes, we did upgrade from 27 to 30 in our
legacy JBoss AS releases
> [16:07] <msuchy> fnasser_inmtg: I sent you email with this last week :) I will
send you it again [16:07] <fnasser_inmtg> msuchy, Better yet.  But cc him, so he
knows we are applying that
> [16:08] <fnasser_inmtg> msuchy, I will build and release this tomcat as part
of the next month ASPATCH CP releases as well
> [16:08] <msuchy> fnasser_inmtg: I need it for release of Satellite, which is
in 14th April
> [16:09] <fnasser_inmtg> msuchy, The ASPATCH CPs are on April 15th, so all is
fine.  I plan to do it asap though, as I want to get it out of the way

Comment 6 wes hayutin 2008-04-21 16:36:55 UTC
[root@rlx-3-18 ~]# rpm -q tomcat5
[root@rlx-3-18 ~]# hostname
[root@rlx-3-18 ~]# date
Mon Apr 21 12:34:16 EDT 2008

verified build 2

Comment 7 Preethi Thomas 2008-05-13 14:02:42 UTC
release pending

Comment 8 wes hayutin 2008-05-20 21:13:08 UTC
5.0.2 Satellite is now GA, bugs Closed for Current Release.

Note You need to log in before you can comment on or make changes to this bug.