ports/146022: [security] tomcat information disclosure
niels
niels at FreeBSD.org
Sat Apr 24 20:50:04 UTC 2010
>Number: 146022
>Category: ports
>Synopsis: [security] tomcat information disclosure
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Apr 24 20:50:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: niels
>Release: 8.0-STABLE
>Organization:
>Environment:
>Description:
>From the security advsory:
Low: Information disclosure in authentication headers CVE-2010-1157
The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + ":" + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat.
Can you update the ports or add the patch?
Thanks!
>How-To-Repeat:
N/A
>Fix:
Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540
Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list