LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 26th, 2014
Linux Security Week: September 22nd, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: Tomcat vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that Tomcat did not correctly validate WAR filenames or paths when deploying. A remote attacker could send a specially crafted WAR file to be deployed and cause arbitrary files and directories to be created, overwritten, or deleted.
===========================================================
Ubuntu Security Notice USN-899-1          February 11, 2010
tomcat6 vulnerabilities
CVE-2009-2693, CVE-2009-2901, CVE-2009-2902
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  libtomcat6-java                 6.0.18-0ubuntu3.3

Ubuntu 9.04:
  libtomcat6-java                 6.0.18-0ubuntu6.2

Ubuntu 9.10:
  libtomcat6-java                 6.0.20-2ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Tomcat did not correctly validate WAR filenames or
paths when deploying. A remote attacker could send a specially crafted WAR
file to be deployed and cause arbitrary files and directories to be
created, overwritten, or deleted.


Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu3.3.diff.gz
      Size/MD5:    26616 15947847c9ba6bca5b4c7c30280c0fb8
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu3.3.dsc
      Size/MD5:     1379 86363fde24b72d18e84ef451312646b1
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18.orig.tar.gz
      Size/MD5:  3484249 9bdbb1c1d79302c80057a70b18fe6721

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:   174352 069180c1a5572ce1f6fa93bcccb5d416
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libtomcat6-java_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:  2963632 cc3ccccd2a204091802013ba3ed1a14b
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-admin_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:    37574 0338b8f2dae4792fa115d748ad6ef0c4
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-common_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:    53718 28ea7eeff8f52e7999e79753241b5764
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-docs_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:   714470 0f4e4e92a9c8299c09aa701e2234a299
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-examples_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:   419384 ee04dfb73fd622f9da2b29dabcc63062
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-user_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:    18856 82a444d0784a9de1792acefa4e422819
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu3.3_all.deb
      Size/MD5:    24418 4cde466df88b81d842874504669c5ed5

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.2.diff.gz
      Size/MD5:    29144 b204c293225729248eb147a84d120c05
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.2.dsc
      Size/MD5:     1412 21a10f9c437e9edffb7baae80196a3da
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18.orig.tar.gz
      Size/MD5:  3484249 9bdbb1c1d79302c80057a70b18fe6721

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java-doc_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:   246472 867519558398828a41a2cfb74f59fbf8
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:   172726 fdf61235de74397f6cdaef0e1c75efff
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libtomcat6-java_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:  2848098 f2b6718e0e25cab22a7dd9cbf2f2d920
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-admin_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:    38086 61d1f99bfadee394356ba09955af203f
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-common_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:    53422 1ba93e5960666a8c380a0091e3d0062e
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-docs_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:   714374 0a82b6b46ba6fa3a4d2e1a22e7e802d0
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-examples_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:   418550 4eb0f440623adab18796f907478c6ffc
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-user_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:    20832 ba5f382e9a3423bf32a28c7aae1af22f
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.2_all.deb
      Size/MD5:    25210 09ce858a43d1d5eafc3be8c74df7f4eb

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20-2ubuntu2.1.diff.gz
      Size/MD5:    24200 0301e8b6886eed5acfe1135262564354
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20-2ubuntu2.1.dsc
      Size/MD5:     1564 9c02cfcdbf44123e1d1f669c23256109
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20.orig.tar.gz
      Size/MD5:  3590562 44f49e7e14028b6a53c3c346bd18c72f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java-doc_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:   247082 f1b8ce2ec306f55eb10eaf3dfb554ba4
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:   182942 987d4d34f2a24645372d44a2132d61a4
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libtomcat6-java_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:  2914180 850bbadb3973c1cac0a5764286054a0c
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-admin_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:    38746 069812c70cb608a1b97d51e2a22b746c
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-common_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:    36530 e6f95590d1998a7d9f05c87f65ddcca6
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-docs_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:   479894 0cf8923ff34c688300b61f7e15852f05
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-examples_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:   418982 b75582d62de99c7f610f89dc87c19814
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-user_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:    21602 dfb3677e4ea5df88905a30b3b9268857
    http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20-2ubuntu2.1_all.deb
      Size/MD5:    25988 b4898543c09f3f35c0b4e835a95cc11c




 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Honeypot Snares Two Bots Exploiting Bash Vulnerability
CloudFlare Rolls Out Free SSL
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.