Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 533
Alerts This Week
Warning Icon 1 533

openSUSE 11.4: SU-2012:0208-1 Important: tomcat6 HTTP Digest Issues

opensuse
Calendar Grey February 9, 2012
Dist Opensuse Esm H88
Critical openSUSE security patch for tomcat6 addresses several HTTP Digest vulnerabilities and resolves regression problems.
An update that fixes four vulnerabilities is now available

Description

This update fixes a regression in parameter passing (in

urldecoding of parameters that contain spaces).

In addition, multiple weaknesses in HTTP DIGESTS are fixed

(CVE-2011-1184).

CVE-2011-5062: The HTTP Digest Access Authentication

implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x

before 6.0.33 and 7.x before 7.0.12 does not check qop

values, which might allow remote attackers to bypass

intended integrity-protection requirements via a qop=auth

value, a different vulnerability than CVE-2011-1184.

CVE-2011-5063: The HTTP Digest Access Authentication

implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x

before 6.0.33, and 7.x before 7.0.12 does not check realm

values, which might allow remote attackers to bypass

intended access restrictions by leveraging the availability

of a protection space with weaker authentication or

authorization requirements, a different vulnerability than

CVE-2011-1184.

CVE-2011-5064:...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 11.4:

zypper in -t patch tomcat6-5765

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 11.4 (noarch):

tomcat6-6.0.32-7.14.1

tomcat6-admin-webapps-6.0.32-7.14.1

tomcat6-docs-webapp-6.0.32-7.14.1

tomcat6-el-1_0-api-6.0.32-7.14.1

tomcat6-javadoc-6.0.32-7.14.1

tomcat6-jsp-2_1-api-6.0.32-7.14.1

tomcat6-lib-6.0.32-7.14.1

tomcat6-servlet-2_5-api-6.0.32-7.14.1

tomcat6-webapps-6.0.32-7.14.1

References

https://www.suse.com/security/cve/CVE-2011-1184.html

https://www.suse.com/security/cve/CVE-2011-5062.html

https://www.suse.com/security/cve/CVE-2011-5063.html

https://www.suse.com/security/cve/CVE-2011-5064.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2012:0208-1
Rating: important
Affected Products: openSUSE 11.4 .

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.