Debian Bug report logs - #423435
CVE-2007-1858: insecure default SSL cipher configuration in Apache Tomcat

version graph

Package: tomcat5; Maintainer for tomcat5 is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Fri, 11 May 2007 20:03:02 UTC

Severity: normal

Tags: security

Found in version tomcat5/5.0.30-12

Done: Marcus Better <marcus@better.se>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#423435; Package tomcat5. (full text, mbox, link).

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2007-1858: insecure default SSL cipher configuration in Apache Tomcat
Date: Fri, 11 May 2007 22:01:33 +0200
Package: tomcat5
Version: 5.0.30-12
Severity: normal
Tags: security

A vulnerability has been found in Tomcat:

CVE-2007-1858:
"The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31,
5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers,
including the anonymous cipher, which allows remote attackers to obtain
sensitive information or have other, unspecified impacts."

Please mention the CVE id in the changelog.


This also affects tomcat4 in sarge but I doubt a DSA is needed.

Reply sent to Marcus Better <marcus@better.se>:
You have taken responsibility. (Mon, 03 Aug 2009 11:27:31 GMT) (full text, mbox, link).

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (Mon, 03 Aug 2009 11:27:31 GMT) (full text, mbox, link).

Message #10 received at 423435-done@bugs.debian.org (full text, mbox, reply):

From: Marcus Better <marcus@better.se>
To: 320034-done@bugs.debian.org, 532363-done@bugs.debian.org, 427947-done@bugs.debian.org, 374928-done@bugs.debian.org, 406780-done@bugs.debian.org, 427948-done@bugs.debian.org, 270248-done@bugs.debian.org, 292448-done@bugs.debian.org, 374929-done@bugs.debian.org, 389938-done@bugs.debian.org, 391646-done@bugs.debian.org, 397008-done@bugs.debian.org, 423435-done@bugs.debian.org, 427712-done@bugs.debian.org, 437136-done@bugs.debian.org, 402706-done@bugs.debian.org, 248267-done@bugs.debian.org
Subject: closing bugs in tomcat5
Date: Mon, 03 Aug 2009 13:17:52 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tomcat5 has been removed from Debian. This bug does not apply to
tomcat5.5 or tomcat6, or has already been reported or fixed there, so
I'm closing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkp2x2AACgkQXjXn6TzcAQkSNgCgkow5fbA2C+YIQ8Gqssma9web
2poAn25kEBL4V63t+rdrk6zAg62LvypC
=jSjY
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 01 Sep 2009 07:32:59 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 5 07:50:22 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.