CVE-2012-5887

NameCVE-2012-5887
DescriptionThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs692439, 692440

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.35-6+deb7u1fixed
wheezy (security)6.0.45+dfsg-1~deb7u1fixed
jessie6.0.41-3fixed
jessie (security)6.0.45+dfsg-1~deb8u1fixed
stretch, sid6.0.45+dfsg-1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u3fixed
wheezy (security)7.0.28-4+deb7u4fixed
jessie7.0.56-3+deb8u1fixed
jessie (security)7.0.56-3+deb8u2fixed
stretch, sid7.0.69-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.35-5+nmu1medium692439
tomcat6sourcesqueeze6.0.35-1+squeeze3medium
tomcat7source(unstable)7.0.28-3+nmu1medium692440

Notes

DSA 2725

Search for package or bug name: Reporting problems