MDVSA-2009:136

Package name

tomcat5

Date

2009-06-22

Advisory ID

MDVSA-2009:136

Affected versions

2008.1 x86_64 , 2008.1 i586

Problem description

Multiple security vulnerabilities has been identified and fixed
in tomcat5:

When Tomcat's WebDAV servlet is configured for use with a context
and has been enabled for write, some WebDAV requests that specify
an entity with a SYSTEM tag can result in the contents of arbitary
files being returned to the client (CVE-2007-5461).

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when
the native APR connector is used, does not properly handle an empty
request to the SSL port, which allows remote attackers to trigger
handling of a duplicate copy of one of the recent requests, as
demonstrated by using netcat to send the empty request (CVE-2007-6286).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through
6.0.18, and possibly earlier versions normalizes the target pathname
before filtering the query string when using the RequestDispatcher
method, which allows remote attackers to bypass intended access
restrictions and conduct directory traversal attacks via .. (dot dot)
sequences and the WEB-INF directory in a Request (CVE-2008-5515).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
through 6.0.18, when the Java AJP connector and mod_jk load balancing
are used, allows remote attackers to cause a denial of service
(application outage) via a crafted request with invalid headers,
related to temporary blocking of connectors that have encountered
errors, as demonstrated by an error involving a malformed HTTP Host
header (CVE-2009-0033).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and
6.0.0 through 6.0.18, when FORM authentication is used, allows
remote attackers to enumerate valid usernames via requests to
/j_security_check with malformed URL encoding of passwords, related to
improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
and (3) JDBCRealm authentication realms, as demonstrated by a %
(percent) value for the j_password parameter (CVE-2009-0580).

The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective (CVE-2009-0781).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
through 6.0.18 permits web applications to replace an XML parser used
for other web applications, which allows local users to read or modify
the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
applications via a crafted application that is loaded earlier than
the target application (CVE-2009-0783).

The updated packages have been patched to prevent this.

Updated packages

2008.1 x86_64

 64b8ee79944197435527251323820a18  2008.1/x86_64/tomcat5-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 445557a3465bdb1047bb15391a582c57  2008.1/x86_64/tomcat5-admin-webapps-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 64859936a6f3358591eacba799ced2f1  2008.1/x86_64/tomcat5-common-lib-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 42e043272e3ab8eb1c40a83dbb5cee88  2008.1/x86_64/tomcat5-jasper-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 687c3eb6efae4bffcd8587447727fc2a  2008.1/x86_64/tomcat5-jasper-eclipse-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 b7ca6d5c104a85e68a1521382678324e  2008.1/x86_64/tomcat5-jasper-javadoc-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 eeab5c575e077b170b4a04dc3391db67  2008.1/x86_64/tomcat5-jsp-2.0-api-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 0f948d2127440ee8cbc34802b9426bb9  2008.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 6cbb3f09deed19f6fa2631c7485a2e1d  2008.1/x86_64/tomcat5-server-lib-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 f8e3153c20bc5086a8f09a127fe255a7  2008.1/x86_64/tomcat5-servlet-2.4-api-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 388989bedf441c3168b658566914541f  2008.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm
 9d708676df61f93a88c4e6eca472764a  2008.1/x86_64/tomcat5-webapps-5.5.25-1.2.1.3mdv2008.1.x86_64.rpm 
 de606b8b2f3be734416c6492abf0dae0  2008.1/SRPMS/tomcat5-5.5.25-1.2.1.3mdv2008.1.src.rpm

2008.1 i586

 6a85bb58bf4f090f192df94afa14cabc  2008.1/i586/tomcat5-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 28f0851d8290157034a802a964172b50  2008.1/i586/tomcat5-admin-webapps-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 37d4eb907f5f5ecdbb200f41af91acf8  2008.1/i586/tomcat5-common-lib-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 a7109579ef41756fe3fb687dd99bd0a8  2008.1/i586/tomcat5-jasper-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 c76049f2c737c8bf6d09566c240d5fe9  2008.1/i586/tomcat5-jasper-eclipse-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 627190d35107da41ce5e01523eb06f47  2008.1/i586/tomcat5-jasper-javadoc-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 88e8eea7e70c6aac517d52dd767738cd  2008.1/i586/tomcat5-jsp-2.0-api-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 975fccf587636e1167d405f549376aac  2008.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 86b4e920279b18d8a9e9b792dcda7ae8  2008.1/i586/tomcat5-server-lib-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 f0742c7914e43ccf6575f95e508a3bb8  2008.1/i586/tomcat5-servlet-2.4-api-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 b8dd6115d5b42ee595aee4fa430f9266  2008.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.3mdv2008.1.i586.rpm
 98f9c8ab357d0a29cabe842cbf738170  2008.1/i586/tomcat5-webapps-5.5.25-1.2.1.3mdv2008.1.i586.rpm 
 de606b8b2f3be734416c6492abf0dae0  2008.1/SRPMS/tomcat5-5.5.25-1.2.1.3mdv2008.1.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
• http://tomcat.apache.org/security-5.html