LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2011:156: tomcat5 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Multiple vulnerabilities has been discovered and corrected in tomcat 5.5.x: The implementation of HTTP DIGEST authentication in tomcat was discovered to have several weaknesses (CVE-2011-1184). [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:156
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : tomcat5
 Date    : October 18, 2011
 Affected: 2010.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in tomcat
 5.5.x:
 
 The implementation of HTTP DIGEST authentication in tomcat was
 discovered to have several weaknesses (CVE-2011-1184).
 
 Apache Tomcat, when the MemoryUserDatabase is used, creates log entries
 containing passwords upon encountering errors in JMX user creation,
 which allows local users to obtain sensitive information by reading
 a log file (CVE-2011-2204).
 
 Apache Tomcat, when sendfile is enabled for the HTTP APR or HTTP
 NIO connector, does not validate certain request attributes, which
 allows local users to bypass intended file access restrictions or
 cause a denial of service (infinite loop or JVM crash) by leveraging
 an untrusted web application (CVE-2011-2526).
 
 Certain AJP protocol connector implementations in Apache Tomcat allow
 remote attackers to spoof AJP requests, bypass authentication, and
 obtain sensitive information by causing the connector to interpret
 a request body as a new request (CVE-2011-3190).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190
 http://tomcat.apache.org/security-5.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 773a5fc229b75a431546c24f560e8913  2010.1/i586/tomcat5-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 6164f8836446357d0c524706e74cfaac  2010.1/i586/tomcat5-admin-webapps-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 608020232619e313b1e5b78c925e3ec9  2010.1/i586/tomcat5-common-lib-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 a014466c79378815eea53bf71058a811  2010.1/i586/tomcat5-jasper-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 fc23df07e993d5563ba5ea6cc19c7faf  2010.1/i586/tomcat5-jasper-eclipse-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 1e293502cc60a9543a83241165668df1  2010.1/i586/tomcat5-jasper-javadoc-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 8bf104f92c4c365beea776a3e335dd74  2010.1/i586/tomcat5-jsp-2.0-api-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 34d375a720129c779a8396df0fea4332  2010.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 f266c74edee028677a2b2ce0d907f194  2010.1/i586/tomcat5-server-lib-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 f290cdda12fe10cbd2131f769ac001c0  2010.1/i586/tomcat5-servlet-2.4-api-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 86065d9a174943936047a07e6ee44de8  2010.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 eae685ce8ecee314b6d2221198eacc90  2010.1/i586/tomcat5-webapps-5.5.28-0.5.0.3mdv2010.2.noarch.rpm 
 c5363a8910ef6f6ba395dc9222f66e42  2010.1/SRPMS/tomcat5-5.5.28-0.5.0.3mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 05f89a0bd05436ab648a2b6e7921cd7c  2010.1/x86_64/tomcat5-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 beb3f7bee12e2c3d27d2da45cd4d5cbf  2010.1/x86_64/tomcat5-admin-webapps-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 94f8860fdcc706d20e32f519a5f44e62  2010.1/x86_64/tomcat5-common-lib-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 1ae847ee8fccc93b0fbcd3caa20e3f4c  2010.1/x86_64/tomcat5-jasper-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 593df02d912d630bb580156d1352cee4  2010.1/x86_64/tomcat5-jasper-eclipse-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 00933232ea5411c8194b94caa2576365  2010.1/x86_64/tomcat5-jasper-javadoc-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 2bad11a52672af123cb464fbd5195650  2010.1/x86_64/tomcat5-jsp-2.0-api-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 3b31cfb99a68d45022fe09a34623b78d  2010.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 8bfdc07d6a914edf7dac32e0641cbc0c  2010.1/x86_64/tomcat5-server-lib-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 c7667a661a3654750fc0069a1fa10289  2010.1/x86_64/tomcat5-servlet-2.4-api-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 51fb24de9c2cbbbbc10bad1a29d85709  2010.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.3mdv2010.2.noarch.rpm
 011186ea5ab76f3b4eac56e0ada5e080  2010.1/x86_64/tomcat5-webapps-5.5.28-0.5.0.3mdv2010.2.noarch.rpm 
 c5363a8910ef6f6ba395dc9222f66e42  2010.1/SRPMS/tomcat5-5.5.28-0.5.0.3mdv2010.2.src.rpm

 Mandriva Enterprise Server 5:
 125a7eb9dcc1683f8ac07af85ca76ec0  mes5/i586/tomcat5-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 24c7aa0d7ea2ca4d9e4e1d9544ea16f8  mes5/i586/tomcat5-admin-webapps-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 568879dcf8335d6bf98076170f052072  mes5/i586/tomcat5-common-lib-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 84e69e48ecd35f246d4fa6ed926efad9  mes5/i586/tomcat5-jasper-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 540440225e1f3ce5de895c8ed46f2443  mes5/i586/tomcat5-jasper-eclipse-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 a9ff3a61cd9708fb2ad6ba6fd9112aff  mes5/i586/tomcat5-jasper-javadoc-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 1939ea1c2e62dc94a7835a6ac6dbf6e3  mes5/i586/tomcat5-jsp-2.0-api-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 d17ced8fe80f33f3007bc9dd8f7c446e  mes5/i586/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 21ffcde63e835e3532d3383f9607c8b7  mes5/i586/tomcat5-server-lib-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 38f82d3d0cb274d8e3a8781f4087eff4  mes5/i586/tomcat5-servlet-2.4-api-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 f6d5fc18de6eb4eb64a4410514df3544  mes5/i586/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 57026e2da95e91b2a4140caa443afd1e  mes5/i586/tomcat5-webapps-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm 
 dc2118f7227a36e842cefaf417338a36  mes5/SRPMS/tomcat5-5.5.28-0.5.0.3mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 74e8a69d9970bd3fe07aa5014deed2d4  mes5/x86_64/tomcat5-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 febe57b644b0341a2abe88bc412d83d8  mes5/x86_64/tomcat5-admin-webapps-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 3045ba1b90c28c481b562946651dc0d2  mes5/x86_64/tomcat5-common-lib-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 3329413dde2923f317feacaac38ce303  mes5/x86_64/tomcat5-jasper-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 c689ea5d6a2305e98f17d2e62af54a65  mes5/x86_64/tomcat5-jasper-eclipse-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 4f9f1bdcdc48b702fcfbb72f5a0b0654  mes5/x86_64/tomcat5-jasper-javadoc-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 b054e07dda62cd976d426a787cc2cf8e  mes5/x86_64/tomcat5-jsp-2.0-api-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 9c7a9d767e8f843413b749194f5edd33  mes5/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 1acee64bbbc9e257badcbf4a3dbbd8e5  mes5/x86_64/tomcat5-server-lib-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 a39d5bef79a400f012e41ffe7d1b17c8  mes5/x86_64/tomcat5-servlet-2.4-api-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 6464fd323297c3d6619131c7b432c580  mes5/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm
 fffd75e85b90aba4b6a3a5c73cabb944  mes5/x86_64/tomcat5-webapps-5.5.28-0.5.0.3mdvmes5.2.noarch.rpm 
 dc2118f7227a36e842cefaf417338a36  mes5/SRPMS/tomcat5-5.5.28-0.5.0.3mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.