[pkg-java] r4919 - in trunk/tomcat5.5: container/catalina/src/share/org/apache/catalina/servlets debian

mkoch at alioth.debian.org mkoch at alioth.debian.org
Fri Nov 30 10:09:05 UTC 2007 

Author: mkoch
Date: 2007-11-30 10:09:05 +0000 (Fri, 30 Nov 2007)
New Revision: 4919

Modified:
   trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
   trunk/tomcat5.5/debian/changelog
Log:
CVE-2007-5461:
* Fix absolute path traversal vulnerability. Closes: #448664.


Modified: trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java	2007-11-30 09:42:39 UTC (rev 4918)
+++ trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java	2007-11-30 10:09:05 UTC (rev 4919)
@@ -252,6 +252,7 @@
         try {
             documentBuilderFactory = DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+	    documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
         } catch(ParserConfigurationException e) {
             throw new ServletException

Modified: trunk/tomcat5.5/debian/changelog
===================================================================
--- trunk/tomcat5.5/debian/changelog	2007-11-30 09:42:39 UTC (rev 4918)
+++ trunk/tomcat5.5/debian/changelog	2007-11-30 10:09:05 UTC (rev 4919)
@@ -1,11 +1,16 @@
-tomcat5.5 (5.5.25-2) UNRELEASED; urgency=low
+tomcat5.5 (5.5.25-2) unstable; urgency=high
 
+  [ Michael Koch ]
+  CVE-2007-5461:
+  * Fix absolute path traversal vulnerability. Closes: #448664.
+
+  [ Marcus Better ]
   * Add required commons-io symlink to the admin webapp, which fixes WAR
     file uploads. (Closes: #452366)
   * debian/control: Use the new Homepage and Vcs-* fields.
   * debian/NEWS: Remove outdated entry.
 
- -- Marcus Better <marcus at better.se>  Thu, 22 Nov 2007 14:55:37 +0100
+ -- Michael Koch <konqueror at gmx.de>  Fri, 30 Nov 2007 10:46:33 +0100
 
 tomcat5.5 (5.5.25-1) unstable; urgency=high

More information about the pkg-java-commits mailing list