CVE-2009-0783

Name	CVE-2009-0783
Description	Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-2207-1
NVD severity	medium
Debian Bugs	532362, 532363, 532366

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
tomcat5	source	(unstable)	(unfixed)	low		532363
tomcat5.5	source	lenny	5.5.26-5lenny2		DSA-2207-1
tomcat5.5	source	(unstable)	(unfixed)	low		532366
tomcat6	source	lenny	(not affected)
tomcat6	source	(unstable)	6.0.20-1	low		532362

Notes

[lenny] - tomcat6 <not-affected> (Only ships the servlet package)