Debian: DSA-2401-1: tomcat6 security update
Summary
Several vulnerabilities have been found in Tomcat, a servlet and JSP
engine:
CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064
The HTTP Digest Access Authentication implementation performed
insufficient countermeasures against replay attacks.
CVE-2011-2204
In rare setups passwords were written into a logfile.
CVE-2011-2526
Missing input sanisiting in the HTTP APR or HTTP NIO connectors could lead to denial of service.
CVE-2011-3190
AJP requests could be spoofed in some setups.
CVE-2011-3375
Incorrect request caching could lead to information disclosure.
CVE-2011-4858 CVE-2012-0022
This update adds countermeasures against a collision denial of
service vulnerability in the Java hashtable implementation and
addresses denial of service potentials when processing large
amounts of requests.
Additional information can be
found at https://tomcat.apache.org/security-6.html
For the stable distribution (squeeze), this problem has been fixed in
version 6.0.35-1+squeeze2.
For the unstable distribution (sid), this problem has been fixed in
version 6.0.35-1.
We recommend that you upgrade your tomcat6 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org