[Secure-testing-commits] r5775 - data/CVE

Florian Weimer fw at alioth.debian.org
Thu May 3 19:30:59 UTC 2007


Author: fw
Date: 2007-05-03 19:30:54 +0000 (Thu, 03 May 2007)
New Revision: 5775

Modified:
   data/CVE/list
Log:
tomcat5/tomcat5.5 issue involving insecure SSO cookies


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-05-03 00:41:26 UTC (rev 5774)
+++ data/CVE/list	2007-05-03 19:30:54 UTC (rev 5775)
@@ -1,3 +1,9 @@
+CVE-2007-XXXX [Tomcat does not enforce HTTPS for SSO cookies]
+	- tomcat5 <unfixed> (medium)
+	- tomcat5.5 <unfixed> (medium)
+	NOTE: SSO cookies sent over secure connections do not require
+	NOTE: secure connections, possibly defeating HTTPS encryption.
+	NOTE: See: http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
 CVE-2007-2419
 	RESERVED
 CVE-2007-2418




More information about the Secure-testing-commits mailing list