Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201206-24 ] Apache Tomcat: Multiple vulnerabilities
Date: Sun, 24 Jun 2012 14:48:48
Message-Id: 4FE72702.1010004@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201206-24
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Apache Tomcat: Multiple vulnerabilities
9 Date: June 24, 2012
10 Bugs: #272566, #273662, #303719, #320963, #329937, #373987,
11 #374619, #382043, #386213, #396401, #399227
12 ID: 201206-24
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities were found in Apache Tomcat, the worst of
20 which allowing to read, modify and overwrite arbitrary files.
21
22 Background
23 ==========
24
25 Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 www-servers/tomcat *< 5.5.34 *>= 6.0.35
34 *< 6.0.35 >= 7.0.23
35 < 7.0.23
36
37 Description
38 ===========
39
40 Multiple vulnerabilities have been discovered in Apache Tomcat. Please
41 review the CVE identifiers referenced below for details.
42
43 Impact
44 ======
45
46 The vulnerabilities allow an attacker to cause a Denial of Service, to
47 hijack a session, to bypass authentication, to inject webscript, to
48 enumerate valid usernames, to read, modify and overwrite arbitrary
49 files, to bypass intended access restrictions, to delete work-directory
50 files, to discover the server's hostname or IP, to bypass read
51 permissions for files or HTTP headers, to read or write files outside
52 of the intended working directory, and to obtain sensitive information
53 by reading a log file.
54
55 Workaround
56 ==========
57
58 There is no known workaround at this time.
59
60 Resolution
61 ==========
62
63 All Apache Tomcat 6.0.x users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.35"
67
68 All Apache Tomcat 7.0.x users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.23"
72
73 References
74 ==========
75
76 [ 1 ] CVE-2008-5515
77 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5515
78 [ 2 ] CVE-2009-0033
79 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0033
80 [ 3 ] CVE-2009-0580
81 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0580
82 [ 4 ] CVE-2009-0781
83 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0781
84 [ 5 ] CVE-2009-0783
85 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0783
86 [ 6 ] CVE-2009-2693
87 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2693
88 [ 7 ] CVE-2009-2901
89 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2901
90 [ 8 ] CVE-2009-2902
91 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2902
92 [ 9 ] CVE-2010-1157
93 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1157
94 [ 10 ] CVE-2010-2227
95 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2227
96 [ 11 ] CVE-2010-3718
97 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3718
98 [ 12 ] CVE-2010-4172
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4172
100 [ 13 ] CVE-2010-4312
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4312
102 [ 14 ] CVE-2011-0013
103 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0013
104 [ 15 ] CVE-2011-0534
105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0534
106 [ 16 ] CVE-2011-1088
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1088
108 [ 17 ] CVE-2011-1183
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1183
110 [ 18 ] CVE-2011-1184
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1184
112 [ 19 ] CVE-2011-1419
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1419
114 [ 20 ] CVE-2011-1475
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1475
116 [ 21 ] CVE-2011-1582
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1582
118 [ 22 ] CVE-2011-2204
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2204
120 [ 23 ] CVE-2011-2481
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2481
122 [ 24 ] CVE-2011-2526
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2526
124 [ 25 ] CVE-2011-2729
125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2729
126 [ 26 ] CVE-2011-3190
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3190
128 [ 27 ] CVE-2011-3375
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3375
130 [ 28 ] CVE-2011-4858
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4858
132 [ 29 ] CVE-2011-5062
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5062
134 [ 30 ] CVE-2011-5063
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5063
136 [ 31 ] CVE-2011-5064
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5064
138 [ 32 ] CVE-2012-0022
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0022
140
141 Availability
142 ============
143
144 This GLSA and any updates to it are available for viewing at
145 the Gentoo Security Website:
146
147 http://security.gentoo.org/glsa/glsa-201206-24.xml
148
149 Concerns?
150 =========
151
152 Security is a primary focus of Gentoo Linux and ensuring the
153 confidentiality and security of our users' machines is of utmost
154 importance to us. Any security concerns should be addressed to
155 security@g.o or alternatively, you may file a bug at
156 https://bugs.gentoo.org.
157
158 License
159 =======
160
161 Copyright 2012 Gentoo Foundation, Inc; referenced text
162 belongs to its owner(s).
163
164 The contents of this document are licensed under the
165 Creative Commons - Attribution / Share Alike license.
166
167 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature