| Name | CVE-2007-1858 |
| Description | The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 423435 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat4 | source | (unstable) | (unfixed) | low | ||
| tomcat5 | source | (unstable) | (unfixed) | low | 423435 | |
| tomcat5.5 | source | (unstable) | 5.5.17-1 | low |
insecure ciphers should not be (and usually are not) enabled in browsers
[sarge] - tomcat4 <no-dsa> (low)
[etch] - tomcat5 <no-dsa> (low; bug #423435)