Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] GLSA: tomcat
Date: Tue, 15 Oct 2002 03:10:19
Message-Id: 20021015081018.D224533728@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200210-001
6 - - --------------------------------------------------------------------
7
8 PACKAGE : tomcat
9 SUMMARY : source disclosure
10 EXPLOIT : remote
11 DATE    : 2002-10-15 08:15 UTC
12
13 - - --------------------------------------------------------------------
14
15 A security vulnerability has been confirmed to exist in Apache Tomcat
16 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
17 crafted URL to return the unprocessed source of a JSP page, or, under
18 special circumstances, a static resource which would otherwise have been
19 protected by security constraint, without the need for being properly
20 authenticated. This is based on a variant of the exploit that was
21 disclosed on 09/24/2002.
22
23 Read the full disclosure at
24 http://marc.theaimsgroup.com/?l=tomcat-dev&m=103417249325526&w=2
25
26 SOLUTION
27
28 It is recommended that all Gentoo Linux users who are running
29 net-www/tomcat-4.0.5 and earlier update their systems
30 as follows:
31
32 emerge rsync
33 emerge tomcat
34 emerge clean
35
36 - - --------------------------------------------------------------------
37 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
38 - - --------------------------------------------------------------------
39 -----BEGIN PGP SIGNATURE-----
40 Version: GnuPG v1.0.7 (GNU/Linux)
41
42 iD8DBQE9q85zfT7nyhUpoZMRAripAKC2pwD2g82Np0cal/0afanM4mfVCgCfbx9o
43 dNLvNJOnmcq3QcvT/S4D3wQ=
44 =6MID
45 -----END PGP SIGNATURE-----