Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 2 articles for you...
200
security advisorytomcat5scientific linuxScientific Linux SL5: SLSA-2013:0870-1 Important Tomcat5 Security Risk
Important: tomcat5 security update. Date: Tue, 28 May 2013 19:45:17 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Important: tomcat5 on SL5.x i386/x86_64 MIME-Version: 1.0 Synopsis: Important: tomcat5 security update Advisory ID: SLSA-2013:0870-1 Issue Date: 2013-05-28 CVE Numbers: CVE-2013-1976 -- A flaw was found in the way the tomcat5 init script handled the catalina.out log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976) Note: With this update, /var/log/tomcat5/catalina.out has been moved to the /var/log/tomcat5-initd.log file. Tomcat must be restarted for this update to take effect. -- SL5 x86_64 tomcat5-debuginfo-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.40.el5_9.x86_64.rpm i386 tomcat5-debuginfo-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-common-lib-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jasper-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-server-lib-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-webapps-5.5.23-0jpp.40.el5_9.i386.rpm - Scientific Linux Development Team . Essential tomcat5 patch for Scientific Linux resolves security concern associated with elevation of privilege, accompanied by comprehensive advisory instructions.. tomcat5 security advisory, scientific linux update, privilege escalation risk. . Severity: Important. LinuxSecurity.com Team
May 28, 2013
•Important
Scientific Linux
200
security advisoryupdateremote accessScientific Linux: Important tomcat5 Update for Authentication Flaws
Important: tomcat5 security update. Date: Tue, 12 Mar 2013 16:10:11 -0500 Reply-To: Pat Riehecky Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Important: tomcat5 on SL5.x i386/x86_64 MIME-Version: 1.0 Synopsis: Important: tomcat5 security update Issue Date: 2013-03-12 CVE Numbers: CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 CVE-2012-3546 -- It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session. (CVE-2012-3546) Multiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Tomcat must be restarted for this update to take effect. -- SL5 x86_64 tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm i386 tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.i386.rpm - Scientific Linux Development Team . Important apache-tomcat5 security patch addresses multiple weaknesses in Scientific Linux.. Tomcat5 Security, Scientific Linux Update, Web Application Security, Remote Access Risks. . Severity: Important. LinuxSecurity.com Team
Mar 12, 2013
•Important
Scientific Linux
98
security advisoryremote accessimportantRed Hat 5: RHSA-2013:0640-01 Important: Tomcat5 Authentication Issues
Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: tomcat5 security update Advisory ID: RHSA-2013:0640-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2013:0640.html Issue date: 2013-03-12 CVE Names: CVE-2012-3546 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ==================================================================== 1. Summary: Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Apache Tomcat is a servlet container. It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session. (CVE-2012-3546) Multiple weaknesses were found in the Tomcat DIGESTauthentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Users of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.i386.rpm x86_64: tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.x86_64.rpm RHEL Desktop Workstation (v. 5client): Source: i386: tomcat5-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.i386.rpm x86_64: tomcat5-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: tomcat5-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.i386.rpm ia64: tomcat5-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.ia64.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.ia64.rpm ppc: tomcat5-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-5.5.23-0jpp.38.el5_9.ppc64.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.ppc64.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.ppc.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.ppc.rpm s390x: tomcat5-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.s390x.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.s390x.rpm x86_64: tomcat5-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2012-3546 https://access.redhat.com/security/cve/CVE-2012-5885 https://access.redhat.com/security/cve/CVE-2012-5886 https://access.redhat.com/security/cve/CVE-2012-5887 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2013 Red Hat, Inc. . Red Hat's newest security patch for Tomcat5 targets various vulnerabilities. Critical update recommendations for safeguarding system stability.. Tomcat5 Update, Red Hat Security, Remote Access Security. . Severity: Important. LinuxSecurity.com Team
Mar 12, 2013
•Important
Red Hat
98
security advisorymoderateupdateRed Hat Enterprise Linux 5 RHSA-2012-0474 Moderate: tomcat5 DoS Threat
Updated tomcat5 packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat5 security update Advisory ID: RHSA-2012:0474-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2012:0474.html Issue date: 2012-04-11 CVE Names: CVE-2011-4858 CVE-2012-0022 ==================================================================== 1. Summary: Updated tomcat5 packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting theorg.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2011-4858) It was found that Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Red Hat would like to thank oCERT for reporting CVE-2011-4858. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2011-4858. Users of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) 783359 - CVE-2012-0022 tomcat: large number of parameters DoS 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.i386.rpm x86_64: tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5client): Source: i386: tomcat5-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-common-lib-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jasper-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-server-lib-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-webapps-5.5.23-0jpp.31.el5_8.i386.rpm x86_64: tomcat5-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.31.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: tomcat5-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-common-lib-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jasper-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-server-lib-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm tomcat5-webapps-5.5.23-0jpp.31.el5_8.i386.rpm ia64: tomcat5-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-common-lib-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-jasper-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-server-lib-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.ia64.rpm tomcat5-webapps-5.5.23-0jpp.31.el5_8.ia64.rpm ppc: tomcat5-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-5.5.23-0jpp.31.el5_8.ppc64.rpm tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-common-lib-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.ppc64.rpm tomcat5-jasper-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-server-lib-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.ppc.rpm tomcat5-webapps-5.5.23-0jpp.31.el5_8.ppc.rpm s390x: tomcat5-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-common-lib-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-jasper-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-server-lib-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.s390x.rpm tomcat5-webapps-5.5.23-0jpp.31.el5_8.s390x.rpm x86_64: tomcat5-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.31.el5_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2011-4858 https://access.redhat.com/security/cve/CVE-2012-0022 https://access.redhat.com/security/updates/classification#moderate https://tomcat.apache.org/security-5.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPhctDXlSAg2UNWIIRAnmwAKCG8ANIA6BMLPlUE4o+l6DV8EXkOgCgopJx Iouhu7nObQ+2gvPAV+Vvp7o=WA/1 -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Apr 11, 2012
Red Hat
200
security advisorymoderateremote threatSecurity Update for tomcat5 on Scientific Linux: CVE-2011-4858 Moderate
Moderate: tomcat5 security update. Date: Wed, 11 Apr 2012 16:05:37 -0500 Reply-To:
Apr 11, 2012
•Important
Scientific Linux
200
security advisorymoderateremote accessScientific Linux: 2011-12-20 Moderate Tomcat5 Security Update CVE-2011-0013
Moderate: tomcat5 security update. Date: Tue, 20 Dec 2011 16:36:43 -0600 Reply-To:
Dec 20, 2011
Scientific Linux
98
security advisoryred hatcross site scriptingCentOS: CESA-2011:1845-01 Moderate: Tomcat6 XSS And Directory Concerns
Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat5 security update Advisory ID: RHSA-2011:1845-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2011:1845.html Issue date: 2011-12-20 CVE Names: CVE-2010-3718 CVE-2011-0013 CVE-2011-1184 CVE-2011-2204 ==================================================================== 1. Summary: Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system. (CVE-2010-3718) A cross-site scripting (XSS) flaw was found in the Manager application, used for managing web applications on Apache Tomcat. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with theprivileges of victims who are logged into and viewing Manager application web pages. (CVE-2011-0013) Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184) A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204) Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 675786 - CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface 675792 - CVE-2010-3718 tomcat: file permission bypass flaw 717013 - CVE-2011-2204 tomcat: password disclosure vulnerability 741401 - CVE-2011-1184 tomcat: Multiple weaknesses in HTTP DIGEST authentication 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.22.el5_7.i386.rpm x86_64: tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.22.el5_7.x86_64.rpm RHEL Desktop Workstation (v. 5client): Source: i386: tomcat5-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-common-lib-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jasper-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-server-lib-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-webapps-5.5.23-0jpp.22.el5_7.i386.rpm x86_64: tomcat5-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.22.el5_7.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: tomcat5-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-common-lib-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jasper-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-server-lib-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.22.el5_7.i386.rpm tomcat5-webapps-5.5.23-0jpp.22.el5_7.i386.rpm ia64: tomcat5-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-admin-webapps-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-common-lib-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-jasper-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-server-lib-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.22.el5_7.ia64.rpm tomcat5-webapps-5.5.23-0jpp.22.el5_7.ia64.rpm ppc: tomcat5-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-5.5.23-0jpp.22.el5_7.ppc64.rpm tomcat5-admin-webapps-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-common-lib-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.ppc64.rpm tomcat5-jasper-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-server-lib-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.22.el5_7.ppc.rpm tomcat5-webapps-5.5.23-0jpp.22.el5_7.ppc.rpm s390x: tomcat5-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-admin-webapps-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-common-lib-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-jasper-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-server-lib-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.22.el5_7.s390x.rpm tomcat5-webapps-5.5.23-0jpp.22.el5_7.s390x.rpm x86_64: tomcat5-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.22.el5_7.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.22.el5_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2010-3718 https://access.redhat.com/security/cve/CVE-2011-0013 https://access.redhat.com/security/cve/CVE-2011-1184 https://access.redhat.com/security/cve/CVE-2011-2204 https://access.redhat.com/security/updates/classification#moderate https://tomcat.apache.org/security-5.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2011 Red Hat, Inc. . Revised tomcat5 distributions for Red Hat address moderate security vulnerabilities, improving system defense and operational efficiency.. Tomcat5 Security Update, Moderate Security Threat, Red Hat Advisory. . LinuxSecurity.com Team
Dec 20, 2011
Red Hat
200
security advisorydenial of servicesecurity updateScientific Linux: Important Tomcat5 Update CVE-2010-4476 Denial of Service
Important: tomcat5 security update. Date: Thu, 10 Mar 2011 13:19:23 -0600 Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Important: tomcat5 on SL5.x i386/x86_64 Comments: To: "
Mar 10, 2011
•Important
Scientific Linux
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!