Date: Sat, 24 Apr 2010 20:46:55 GMT From: niels <niels@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/146022: [security] tomcat information disclosure Message-ID: <201004242046.o3OKkt6W065229@www.freebsd.org> Resent-Message-ID: <201004242050.o3OKo319044789@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 146022 >Category: ports >Synopsis: [security] tomcat information disclosure >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 24 20:50:03 UTC 2010 >Closed-Date: >Last-Modified: >Originator: niels >Release: 8.0-STABLE >Organization: >Environment: >Description: >From the security advsory: Low: Information disclosure in authentication headers CVE-2010-1157 The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + ":" + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat. Can you update the ports or add the patch? Thanks! >How-To-Repeat: N/A >Fix: Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540 Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004242046.o3OKkt6W065229>