Gentoo: tomcat file access vulnerability
Posted by LinuxSecurity.com Team   
Gentoo Versions prior to tomcat-4.1.24 created /opt/tomcat with a directory mode which allowed users to access files containing passwords.

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200306-01
- - - ---------------------------------------------------------------------

          PACKAGE : tomcat
          SUMMARY : insecure directory mode
             DATE : 2003-06-01 12:08 UTC
          EXPLOIT : local
VERSIONS AFFECTED : =tomcat-4.1.24-r1
              CVE : 

- - - ---------------------------------------------------------------------

Versions prior to tomcat-4.1.24 created /opt/tomcat with a directory
mode which allowed users to access files containing passwords.

SOLUTION

Either upgrade to tomcat-4.1.24-r1 by running

emerge sync
emerge tomcat
emerge clean

or execute the following:

/etc/init.d/tomcat stop
chmod -R 750 /opt/tomcat/
/etc/init.d/tomcat start

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at  http://cvs.gentoo.org/~aliz
absinthe@gentoo.org
- - - ---------------------------------------------------------------------