Scientific Linux: SLSA-2016:0492-1 Moderate: tomcat6 Memory Issue

Date: Wed, 23 Mar 2016 16:31:20 -0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Moderate: tomcat6 on SL6.x i386/x86_64
MIME-Version: 1.0
Message-ID: <20160323163120.31995.47716@slpackages.fnal.gov>

Synopsis: Moderate: tomcat6 security and bug fix update
Advisory ID: SLSA-2016:0492-1
Issue Date: 2016-03-23
CVE Numbers: CVE-2014-7810
--

It was found that the expression language resolver evaluated expressions
within a privileged code section. A malicious web application could use
this flaw to bypass security manager protections. (CVE-2014-7810)

This update also fixes the following bug:

* Previously, using a New I/O (NIO) connector in the Apache Tomcat 6
servlet resulted in a large memory leak. An upstream patch has been
applied to fix this bug, and the memory leak no longer occurs.

Tomcat must be restarted for this update to take effect.
--

SL6
 x86_64
 tomcat6-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-admin-webapps-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-debuginfo-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-docs-webapp-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-el-2.1-api-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-javadoc-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-jsp-2.1-api-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-lib-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-servlet-2.5-api-6.0.24-94.el6_7.x86_64.rpm
 tomcat6-webapps-6.0.24-94.el6_7.x86_64.rpm
 i386
 tomcat6-6.0.24-94.el6_7.i686.rpm
 tomcat6-admin-webapps-6.0.24-94.el6_7.i686.rpm
 tomcat6-debuginfo-6.0.24-94.el6_7.i686.rpm
 tomcat6-docs-webapp-6.0.24-94.el6_7.i686.rpm
 tomcat6-el-2.1-api-6.0.24-94.el6_7.i686.rpm
 tomcat6-javadoc-6.0.24-94.el6_7.i686.rpm
 tomcat6-jsp-2.1-api-6.0.24-94.el6_7.i686.rpm
 tomcat6-lib-6.0.24-94.el6_7.i686.rpm
 tomcat6-servlet-2.5-api-6.0.24-94.el6_7.i686.rpm
 tomcat6-webapps-6.0.24-94.el6_7.i686.rpm

- Scientific Linux Development Team