Bug#632399: tomcat6-admin doesn't use CSRF protections
tony mancill
tmancill at debian.org
Sun Jul 3 19:26:10 UTC 2011
Hello Alex,
Is the CSRF vulnerability you are referring to distinct from the XSS
vulnerabilities in the manager interface reported in CVS-2011-0013 [1]? If not,
please note that the patch for that vulnerability was backported to 6.0.28 for
the version reported in the bug report.
Another option, if you prefer, is to build 6.0.32 source package against
squeeze. The rebuild is trivial, as there are no dependencies to backport. If
you'd like, I can make binary packages available to you.
Thank you,
tony
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0013
On 07/01/2011 09:52 AM, Alex Dehnert wrote:
> Package: tomcat6-admin
> Version: 6.0.28-9+squeeze1
> Severity: normal
> Tags: security
>
> According to the upstream changelog
> (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html), Tomcat 6.0.30 fixed a
> CSRF vulnerability in the manager application. The Debian package does not have
> these protections.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20110703/0ba9419f/attachment.pgp>
More information about the pkg-java-maintainers
mailing list