[gentoo-announce] [ GLSA 201412-29 ] Apache Tomcat: Multiple vulnerabilities - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201412-29 ] Apache Tomcat: Multiple vulnerabilities
Date:	Mon, 15 Dec 2014 00:44:58
Message-Id:	`548E2EC2.1090304@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201412-29

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Apache Tomcat: Multiple vulnerabilities

9

     Date: December 15, 2014

10

     Bugs: #442014, #469434, #500600, #511762, #517630, #519590

11

       ID: 201412-29

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Apache Tomcat, the worst of

19

which may result in Denial of Service.

20

21

Background

22

==========

23

24

Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  www-servers/tomcat           < 7.0.56                 *>= 6.0.41

33

                                                            >= 7.0.56

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Tomcat. Please review

39

the CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

A remote attacker may be able to cause a Denial of Service condition as

45

well as obtain sensitive information, bypass protection mechanisms and

46

authentication restrictions.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All Tomcat 6.0.x users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.41"

60

61

All Tomcat 7.0.x users should upgrade to the latest version:

62

63

  # emerge --sync

64

  # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.56"

65

66

References

67

==========

68

69

[  1 ] CVE-2012-2733

70

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2733

71

[  2 ] CVE-2012-3544

72

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544

73

[  3 ] CVE-2012-3546

74

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3546

75

[  4 ] CVE-2012-4431

76

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4431

77

[  5 ] CVE-2012-4534

78

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4534

79

[  6 ] CVE-2012-5885

80

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5885

81

[  7 ] CVE-2012-5886

82

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5886

83

[  8 ] CVE-2012-5887

84

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5887

85

[  9 ] CVE-2013-2067

86

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067

87

[ 10 ] CVE-2013-2071

88

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071

89

[ 11 ] CVE-2013-4286

90

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4286

91

[ 12 ] CVE-2013-4322

92

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4322

93

[ 13 ] CVE-2013-4590

94

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4590

95

[ 14 ] CVE-2014-0033

96

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033

97

[ 15 ] CVE-2014-0050

98

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0050

99

[ 16 ] CVE-2014-0075

100

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0075

101

[ 17 ] CVE-2014-0096

102

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0096

103

[ 18 ] CVE-2014-0099

104

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0099

105

[ 19 ] CVE-2014-0119

106

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0119

107

108

Availability

109

============

110

111

This GLSA and any updates to it are available for viewing at

112

the Gentoo Security Website:

113

114

 http://security.gentoo.org/glsa/glsa-201412-29.xml

115

116

Concerns?

117

=========

118

119

Security is a primary focus of Gentoo Linux and ensuring the

120

confidentiality and security of our users' machines is of utmost

121

importance to us. Any security concerns should be addressed to

122

security@g.o or alternatively, you may file a bug at

123

https://bugs.gentoo.org.

124

125

License

126

=======

127

128

Copyright 2014 Gentoo Foundation, Inc; referenced text

129

belongs to its owner(s).

130

131

The contents of this document are licensed under the

132

Creative Commons - Attribution / Share Alike license.

133

134

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201412-29
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Apache Tomcat: Multiple vulnerabilities
9	Date: December 15, 2014
10	Bugs: #442014, #469434, #500600, #511762, #517630, #519590
11	ID: 201412-29
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Apache Tomcat, the worst of
19	which may result in Denial of Service.
20
21	Background
22	==========
23
24	Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 www-servers/tomcat < 7.0.56 *>= 6.0.41
33	>= 7.0.56
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Tomcat. Please review
39	the CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	A remote attacker may be able to cause a Denial of Service condition as
45	well as obtain sensitive information, bypass protection mechanisms and
46	authentication restrictions.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All Tomcat 6.0.x users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.41"
60
61	All Tomcat 7.0.x users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.56"
65
66	References
67	==========
68
69	[ 1 ] CVE-2012-2733
70	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2733
71	[ 2 ] CVE-2012-3544
72	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544
73	[ 3 ] CVE-2012-3546
74	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3546
75	[ 4 ] CVE-2012-4431
76	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4431
77	[ 5 ] CVE-2012-4534
78	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4534
79	[ 6 ] CVE-2012-5885
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5885
81	[ 7 ] CVE-2012-5886
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5886
83	[ 8 ] CVE-2012-5887
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5887
85	[ 9 ] CVE-2013-2067
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067
87	[ 10 ] CVE-2013-2071
88	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071
89	[ 11 ] CVE-2013-4286
90	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4286
91	[ 12 ] CVE-2013-4322
92	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4322
93	[ 13 ] CVE-2013-4590
94	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4590
95	[ 14 ] CVE-2014-0033
96	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033
97	[ 15 ] CVE-2014-0050
98	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0050
99	[ 16 ] CVE-2014-0075
100	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0075
101	[ 17 ] CVE-2014-0096
102	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0096
103	[ 18 ] CVE-2014-0099
104	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0099
105	[ 19 ] CVE-2014-0119
106	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0119
107
108	Availability
109	============
110
111	This GLSA and any updates to it are available for viewing at
112	the Gentoo Security Website:
113
114	http://security.gentoo.org/glsa/glsa-201412-29.xml
115
116	Concerns?
117	=========
118
119	Security is a primary focus of Gentoo Linux and ensuring the
120	confidentiality and security of our users' machines is of utmost
121	importance to us. Any security concerns should be addressed to
122	security@g.o or alternatively, you may file a bug at
123	https://bugs.gentoo.org.
124
125	License
126	=======
127
128	Copyright 2014 Gentoo Foundation, Inc; referenced text
129	belongs to its owner(s).
130
131	The contents of this document are licensed under the
132	Creative Commons - Attribution / Share Alike license.
133
134	http://creativecommons.org/licenses/by-sa/2.5