Fedora Core 6 Critical: FEDORA-2007-514 Tomcat Cache Poisoning

The Modeler project shall create and maintain a set of Java

classes to provide the facilities described in the preceeding section, plus

unit tests and small examples of using these facilities to instrument

Java classes with Model MBean support.

Several security issues were reported to be fixed in

releases prior to 5.5.23

(https://tomcat.apache.org/security-5.html)

Tomcat was found to accept multiple content-length headers

in a request. This could allow attackers to poison a

web-cache, bypass web application firewall protection, or

conduct cross-site scripting attacks. (CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If

Tomcat was used behind certain proxies and configured to

only proxy some contexts, an attacker could construct an

HTTP request to work around the context restriction and

potentially access non-proxied content. (CVE-2007-0450)

The implict-objects.jsp file distributed in the examples

webapp displayed a number of unfiltered header values. If

the JSP examples were accessible, this flaw could allow a

remote attacker to perform cross-site scripting

attacks. (CVE-2006-7195)

Users should upgrade to these erratum packages which contain

an update to Tomcat that resolves these issues. Updated

jakarta-commons-modeler packages are also included which

correct a bug when used with Tomcat 5.5.23.

- Add patch to fix jira task: MODELER-15 to allow tomcat5 5.5.23

to build against j-c-modeler

- Resolves: bug 237704

dad1218b669850e79dbd5d467c95ed95301b8d34 SRPMS/jakarta-commons-modeler-1.1-8jpp.2.fc6.src.rpm

dad1218b669850e79dbd5d467c95ed95301b8d34 noarch/jakarta-commons-modeler-1.1-8jpp.2.fc6.src.rpm

8dd80a01e127b5d40d732ce2e75c5c04e2000421 ppc/jakarta-commons-modeler-javadoc-1.1-8jpp.2.fc6.ppc.rpm

dd1ab4ed4a18518210a3609441d3c337a2dd5a69 ppc/debug/jakarta-commons-modeler-debuginfo-1.1-8jpp.2.fc6.ppc.rpm

7f4b54c6922fb76248bafd205e14119183ea99df ppc/jakarta-commons-modeler-1.1-8jpp.2.fc6.ppc.rpm

2a629ca2249b3012627ce9cea4ef89eee957f82a x86_64/jakarta-commons-modeler-javadoc-1.1-8jpp.2.fc6.x86_64.rpm

c397048d0562227811fb735b49acb0bda2c68511 x86_64/debug/jakarta-commons-modeler-debuginfo-1.1-8jpp.2.fc6.x86_64.rpm

2aa455ba7eb7d52799a3c0d93dab468cefa96c9e x86_64/jakarta-commons-modeler-1.1-8jpp.2.fc6.x86_64.rpm

ba5a53f53d214e199394ea50cdf2306b049e9085 i386/debug/jakarta-commons-modeler-debuginfo-1.1-8jpp.2.fc6.i386.rpm

501ec172627d91dbcabb7134d3b5b3c10f256e06 i386/jakarta-commons-modeler-javadoc-1.1-8jpp.2.fc6.i386.rpm

faee0b25204c51e08dd19930cf2c81880ce9bc23 i386/jakarta-commons-modeler-1.1-8jpp.2.fc6.i386.rpm

This update can be installed with the 'yum' update program. Use 'yum update

package-name' at the command line. For more information, refer to 'Managing

Software with yum,' available at .

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/