tomcat 5.5.29 패치가 됐습니다.
원문 참고하세요.
원문: http://tomcat.apache.org/security-5.html#Fixed_in_subversion_for_Apache_Tomcat_5.5.x
http://tomcat.apache.org/security-5.html#Fixed_in_subversion_for_Apache_Tomcat_5.5.x
Low: Arbitrary file deletion and/or alteration on deploy CVE-2009-2693
When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as ../../bin/catalina.sh in the WAR.
This was fixed in revision 902650.
Affects: 5.5.0-5.5.28
Low: Insecure partial deploy after failed deploy CVE-2009-2901
By default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms
This was fixed in revision 902650.
Affects: 5.5.0-5.5.28 (Windows only)
Low: Unexpected file deletion in work directory CVE-2009-2902
When deploying WAR files, the WAR file names were not checked for directory traversal attempts. For example, deploying and undeploying ...war allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications.
This was fixed in revision 902650.
Affects: 5.5.0-5.5.28
Low: Insecure default password CVE-2009-3548
The Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.
Affects: 5.5.0-5.5.28
This was fixed in revision 919006.