Package name
tomcat5
Date
2009-06-22
Advisory ID
MDVSA-2009:138
Affected versions
2009.0 x86_64 , 2009.0 i586 , 2009.1 i586 , 2009.1 x86_64

Problem description

Multiple security vulnerabilities has been identified and fixed
in tomcat5:

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through
6.0.18, and possibly earlier versions normalizes the target pathname
before filtering the query string when using the RequestDispatcher
method, which allows remote attackers to bypass intended access
restrictions and conduct directory traversal attacks via .. (dot dot)
sequences and the WEB-INF directory in a Request (CVE-2008-5515).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
through 6.0.18, when the Java AJP connector and mod_jk load balancing
are used, allows remote attackers to cause a denial of service
(application outage) via a crafted request with invalid headers,
related to temporary blocking of connectors that have encountered
errors, as demonstrated by an error involving a malformed HTTP Host
header (CVE-2009-0033).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and
6.0.0 through 6.0.18, when FORM authentication is used, allows
remote attackers to enumerate valid usernames via requests to
/j_security_check with malformed URL encoding of passwords, related to
improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
and (3) JDBCRealm authentication realms, as demonstrated by a %
(percent) value for the j_password parameter (CVE-2009-0580).

The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective (CVE-2009-0781).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
through 6.0.18 permits web applications to replace an XML parser used
for other web applications, which allows local users to read or modify
the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
applications via a crafted application that is loaded earlier than
the target application (CVE-2009-0783).

The updated packages have been patched to prevent this. Additionally
Apache Tomcat has been upgraded to the latest 5.5.27 version for
2009.0.

Updated packages

2009.0 x86_64

 adaf8aa38a56032c2af2b9e9a4d32f74  2009.0/x86_64/tomcat5-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 10ccca04d63fe432f1dfde1d68d37096  2009.0/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 4684a73eab871cdbb5944af43356292f  2009.0/x86_64/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 9a6a9b1f7814493f643ddd66558af448  2009.0/x86_64/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 7fca471aac6926e59cd51f5a259a4aff  2009.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 44081f3dd19e85300dfa01119ed42c3d  2009.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 aa92d9b64e7a499409cae4c426dbfa2a  2009.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 6dbf127680b58c3dbb318fcca1297e8e  2009.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 ac9fcec772e9cb2056b42f409be36bf9  2009.0/x86_64/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 56e0cfa45b4f7f01ba0b672df187ecb4  2009.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 4fbf140ef8760b63f8ae2a39fc665d96  2009.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 55b4425c6778e3633e4f4b054babaa37  2009.0/x86_64/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 
 70b0daf5445d25ba28ca5c9faf35ab30  2009.0/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.0.src.rpm

2009.0 i586

 428b187497b4978051c7a6c4eac7e7cd  2009.0/i586/tomcat5-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 892d104aaf4eba625b8aece097a761f8  2009.0/i586/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 a9c262792eb51f72602206ed582e201e  2009.0/i586/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 312008330d70b0a738dbdb447b1a7eb5  2009.0/i586/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 7faf9b111c77426d292251717ee6c921  2009.0/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 632784effce6d3c1488db67bf715bf5a  2009.0/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 b626e7ad47d127c84a5ab4e4e195cb23  2009.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 50dff9ec31232df9ed3a9a4ced2b308d  2009.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 9e52510bc62f27eb83c4a8518612c245  2009.0/i586/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 db73d8ff41b418c723a6ed0ef98873b3  2009.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 c8c8eb4f4f2d3a790c3f24f792741da4  2009.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm
 7e923ae7ac28655f2fbb2a5bf21f14cb  2009.0/i586/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 
 70b0daf5445d25ba28ca5c9faf35ab30  2009.0/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.0.src.rpm

2009.1 i586

 96440fed883e326b13985fe48321021d  2009.1/i586/tomcat5-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 d276901515b98ff3accfd120264d3a46  2009.1/i586/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 cb8b99f44074805b1a61225aed1235f4  2009.1/i586/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 3a7b3bca71fa7ef6fb784d7051c6736a  2009.1/i586/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 f2c0ccd5bc3251ce3b4bab0c44e39ef9  2009.1/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 425fefca7c5277e645d5b7965b256fa6  2009.1/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 c0b635c6f12ed81b50ef8f302b1602f6  2009.1/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 616d65f3f9ced4f522f571f1ad6763b3  2009.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 f9a9d71056a52ebd033cf060fa6c4779  2009.1/i586/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 ad6fb637810872f1e0d7610e65f2b419  2009.1/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 546af1e050b27e018b80a1e51f1e0dd0  2009.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 73ebe6e6d30f04f18f2a6d2343e29d0c  2009.1/i586/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 
 2f973dcb1297bc0eb1fb4b60605431e7  2009.1/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.1.src.rpm

2009.1 x86_64

 c933a3c0fe41915a27bce5b390ee0f1d  2009.1/x86_64/tomcat5-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 ff17d1526a1cc79c00bad9fb851eac83  2009.1/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 eb747524bb223902319e3394493bc4e9  2009.1/x86_64/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 8daa93141056351326e4ddc36f78f478  2009.1/x86_64/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 bfd83b39fd977b34ad0b7bd76c7e9bf9  2009.1/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 cb6b940efcfdb997cd4a9c99fc59b95f  2009.1/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 15eb4406c3c5b869040bcf3a9c9e9dc8  2009.1/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 4366ec41c3ad6a4c4fa8208b6df8df7a  2009.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 715ca3b9309e33f8b682fc36e4e3c2be  2009.1/x86_64/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 a43b1b547a28f3204af8f348f3c16427  2009.1/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 555f6333bb95694eae748f4f454a55ee  2009.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm
 0843f1dcaf4b5615db0cfe60eb75c93c  2009.1/x86_64/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 
 2f973dcb1297bc0eb1fb4b60605431e7  2009.1/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.1.src.rpm

References