Bug 429835 - CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
Summary: CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Other
Version: 500
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Miroslav Suchý
QA Contact: wes hayutin
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: 429320 CVE-2008-0128 438231
TreeView+ depends on / blocked
 
Reported: 2008-01-23 11:12 UTC by Marc Schoenefeld
Modified: 2008-05-20 21:13 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-05-20 21:13:08 UTC


Attachments (Terms of Use)

Description Marc Schoenefeld 2008-01-23 11:12:04 UTC
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.

For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ

[bug automatically created by: add-tracking-bugs]

Comment 2 Jean-frederic Clere 2008-03-18 08:11:11 UTC
The fix is something like http://svn.apache.org/viewvc?view=rev&revision=500626

Comment 3 Miroslav Suchý 2008-04-03 12:43:36 UTC
> [16:02] <fnasser_home> msuchy, pong
> [16:03] <msuchy> fnasser_inmtg: can you apply this patch
https://bugzilla.redhat.com/show_bug.cgi?id=429835#c2 to tomcat5 and rebuild it?
> [16:04] <msuchy> fnasser_inmtg: I need to import to RHN Satellite
> [16:06] <fnasser_inmtg> msuchy, Sure, but please send it to me by e-mail, with
a release going on I need something better than irc to track tasks.  Which
release of tomcat? 5.0.30 right?  Is it security?
> [16:06] <fnasser_inmtg> msuchy, If it is security related please cc Marc (do
you know Marc?  If not I reply adding cc's for you)
> [16:06] <msuchy> fnasser_inmtg: we have tomcat5-5.0.27-2jpp_1rh
> [16:06] <msuchy> fnasser_inmtg: so 5.0.30 should be ok [16:07] <fnasser_inmtg>
msuchy, I want to keep Jean-Frederic ( jclere here) and Remy on the loop as well
> [16:07] <msuchy> fnasser_inmtg: it is reported by Marc
> [16:07] <fnasser_inmtg> msuchy, Yes, we did upgrade from 27 to 30 in our
legacy JBoss AS releases
> [16:07] <msuchy> fnasser_inmtg: I sent you email with this last week :) I will
send you it again [16:07] <fnasser_inmtg> msuchy, Better yet.  But cc him, so he
knows we are applying that
> [16:08] <fnasser_inmtg> msuchy, I will build and release this tomcat as part
of the next month ASPATCH CP releases as well
> [16:08] <msuchy> fnasser_inmtg: I need it for release of Satellite, which is
in 14th April
> [16:09] <fnasser_inmtg> msuchy, The ASPATCH CPs are on April 15th, so all is
fine.  I plan to do it asap though, as I want to get it out of the way
>
>  



Comment 6 wes hayutin 2008-04-21 16:36:55 UTC
[root@rlx-3-18 ~]# rpm -q tomcat5
tomcat5-5.0.30-0jpp_10rh
[root@rlx-3-18 ~]# hostname
rlx-3-18.rhndev.redhat.com
[root@rlx-3-18 ~]# date
Mon Apr 21 12:34:16 EDT 2008

verified build 2


Comment 7 Preethi Thomas 2008-05-13 14:02:42 UTC
release pending

Comment 8 wes hayutin 2008-05-20 21:13:08 UTC
5.0.2 Satellite is now GA, bugs Closed for Current Release.




Note You need to log in before you can comment on or make changes to this bug.