Information disclosure vulnerability (CVE-2008-2370)

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu1

---------------
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on
    default-jre-headless | java6-runtime-headless

 -- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200

The fix should be http://svn.apache.org/viewvc?view=rev&revision=673839

No, that would rather be: http://svn.apache.org/viewvc?view=rev&revision=680949

This bug was fixed in the package tomcat5.5 - 5.5.26-3ubuntu1

---------------
tomcat5.5 (5.5.26-3ubuntu1) intrepid; urgency=low

  * Fix tomcat5.5 Java environment to match status of Java in intrepid:
    - control: Moved Java runtime deps to libtomcat5.5-java
    - control: Depends on default-jre-headless | java2-runtime-headless
    - tomcat5.5.init: Fix JVM list to match java2-runtime-headless
    - rules, control: Builds with default-jdk, libecj-java build-dep added
    - Fixes LP: #212521, LP: #179447
  * tomcat5.5.postinst: Removed superfluous /etc/tomcat5.5/tomcat5.5 linking
  * rules, tomcat5.5.init: implement TearDown spec
  * tomcat5.5.install: don't install catalina.policy (LP: #112626)
  * Fix CVE-2008-1232 cross-site scripting vulnerability (LP: #256926)
  * Fix CVE-2008-2370 information disclosure vulnerability (LP: #256922)
  * Fix CVE-2008-2938 directory traversal (LP: #256802)

 -- Thierry Carrez <email address hidden> Wed, 10 Sep 2008 12:00:09 +0200