Bug 429835 - CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_5.0]
CVE-2008-0128 tomcat5 SSO cookie login information disclosure [rhn_satellite_...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Other (Show other bugs)
500
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Suchý
wes hayutin
: Security
Depends On:
Blocks: 429320 CVE-2008-0128 438231
  Show dependency treegraph
 
Reported: 2008-01-23 06:12 EST by Marc Schoenefeld
Modified: 2008-05-20 17:13 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat502
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-20 17:13:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2008-01-23 06:12:04 EST
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.

For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ

[bug automatically created by: add-tracking-bugs]
Comment 2 Jean-frederic Clere 2008-03-18 04:11:11 EDT
The fix is something like http://svn.apache.org/viewvc?view=rev&revision=500626
Comment 3 Miroslav Suchý 2008-04-03 08:43:36 EDT
> [16:02] <fnasser_home> msuchy, pong
> [16:03] <msuchy> fnasser_inmtg: can you apply this patch
https://bugzilla.redhat.com/show_bug.cgi?id=429835#c2 to tomcat5 and rebuild it?
> [16:04] <msuchy> fnasser_inmtg: I need to import to RHN Satellite
> [16:06] <fnasser_inmtg> msuchy, Sure, but please send it to me by e-mail, with
a release going on I need something better than irc to track tasks.  Which
release of tomcat? 5.0.30 right?  Is it security?
> [16:06] <fnasser_inmtg> msuchy, If it is security related please cc Marc (do
you know Marc?  If not I reply adding cc's for you)
> [16:06] <msuchy> fnasser_inmtg: we have tomcat5-5.0.27-2jpp_1rh
> [16:06] <msuchy> fnasser_inmtg: so 5.0.30 should be ok [16:07] <fnasser_inmtg>
msuchy, I want to keep Jean-Frederic ( jclere here) and Remy on the loop as well
> [16:07] <msuchy> fnasser_inmtg: it is reported by Marc
> [16:07] <fnasser_inmtg> msuchy, Yes, we did upgrade from 27 to 30 in our
legacy JBoss AS releases
> [16:07] <msuchy> fnasser_inmtg: I sent you email with this last week :) I will
send you it again [16:07] <fnasser_inmtg> msuchy, Better yet.  But cc him, so he
knows we are applying that
> [16:08] <fnasser_inmtg> msuchy, I will build and release this tomcat as part
of the next month ASPATCH CP releases as well
> [16:08] <msuchy> fnasser_inmtg: I need it for release of Satellite, which is
in 14th April
> [16:09] <fnasser_inmtg> msuchy, The ASPATCH CPs are on April 15th, so all is
fine.  I plan to do it asap though, as I want to get it out of the way
>
>  

Comment 6 wes hayutin 2008-04-21 12:36:55 EDT
[root@rlx-3-18 ~]# rpm -q tomcat5
tomcat5-5.0.30-0jpp_10rh
[root@rlx-3-18 ~]# hostname
rlx-3-18.rhndev.redhat.com
[root@rlx-3-18 ~]# date
Mon Apr 21 12:34:16 EDT 2008

verified build 2
Comment 7 Preethi Thomas 2008-05-13 10:02:42 EDT
release pending
Comment 8 wes hayutin 2008-05-20 17:13:08 EDT
5.0.2 Satellite is now GA, bugs Closed for Current Release.


Note You need to log in before you can comment on or make changes to this bug.