Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 433
Alerts This Week
Warning Icon 1 433

Scientific Linux: SLSA-2013:0869-1 Important: tomcat6 Update and Fixes

Scientific Large Esm H446
Important: tomcat6 security update
Date: Tue, 28 May 2013 19:42:46 +0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: tomcat6 on SL6.x (noarch)
MIME-Version: 1.0

Synopsis: Important: tomcat6 security update
Advisory ID: SLSA-2013:0869-1
Issue Date: 2013-05-28
CVE Numbers: CVE-2013-1976
 CVE-2013-2051
--

A flaw was found in the way the tomcat6 init script handled the
tomcat6-initd.log log file. A malicious web application deployed on Tomcat
could use this flaw to perform a symbolic link attack to change the
ownership of an arbitrary system file to that of the tomcat user, allowing
them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, tomcat6-initd.log has been moved from
/var/log/tomcat6/ to the /var/log/ directory.

It was found that the SLSA-2013:0623 update did not correctly fix
CVE-2012-5887, a weakness in the Tomcat DIGEST authentication
implementation. A remote attacker could use this flaw to perform replay
attacks in some circumstances. Additionally, this problem also prevented
users from being able to authenticate using DIGEST authentication.
(CVE-2013-2051)

Tomcat must be restarted for this update to take effect.
--

SL6
 noarch
 tomcat6-6.0.24-55.el6_4.noarch.rpm
 tomcat6-admin-webapps-6.0.24-55.el6_4.noarch.rpm
 tomcat6-docs-webapp-6.0.24-55.el6_4.noarch.rpm
 tomcat6-el-2.1-api-6.0.24-55.el6_4.noarch.rpm
 tomcat6-javadoc-6.0.24-55.el6_4.noarch.rpm
 tomcat6-jsp-2.1-api-6.0.24-55.el6_4.noarch.rpm
 tomcat6-lib-6.0.24-55.el6_4.noarch.rpm
 tomcat6-servlet-2.5-api-6.0.24-55.el6_4.noarch.rpm
 tomcat6-webapps-6.0.24-55.el6_4.noarch.rpm

- Scientific Linux Development Team