Nom du paquet
tomcat5
Date
2011-02-18
Advisory ID
MDVSA-2011:030
Affected versions
2009.0 x86_64 , MES5 i586 , 2010.0 x86_64 , 2010.1 i586 , 2010.0 i586 , 2009.0 i586 , MES5 x86_64 , 2010.1 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in tomcat5:

When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to
the work directory. This directory is used for a variety of temporary
files such as the intermediate files generated when compiling JSPs
to Servlets. The location of the work directory is specified by
a ServletContect attribute that is meant to be read-only to web
applications. However, due to a coding error, the read-only setting
was not applied. Therefore, a malicious web application may modify
the attribute before Tomcat applies the file permissions. This can be
used to grant read/write permissions to any area on the file system
which a malicious web application may then take advantage of. This
vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments (CVE-2010-3718).

The HTML Manager interface displayed web applciation provided data,
such as display names, without filtering. A malicious web application
could trigger script execution by an administartive user when viewing
the manager pages (CVE-2011-0013).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Updated packages

2009.0 x86_64

 7f3a9c9a0f48012967fece5d682cc344  2009.0/x86_64/tomcat5-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 3151ab51c99456cf46095557b421a47d  2009.0/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 4312fccb593f577b34a77363c140460b  2009.0/x86_64/tomcat5-common-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 04580ac069d37ea7ce1223f744dd63bf  2009.0/x86_64/tomcat5-jasper-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 adf6a50a74e425cd579d4c76fe518f88  2009.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 be1cdc23f0f7a115835062c6dd22f68e  2009.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 827ce79fb2c78c7cd5e2b9ed74e60564  2009.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 5ad827a665ee9a6b20d1e771ada0922a  2009.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 1133aad0b9a2715bbea40e925f065f0e  2009.0/x86_64/tomcat5-server-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 734a3311954704b8d31c134c204273f3  2009.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 e61e4817d3fe00bca326b7d078d38cc1  2009.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 4f37e8f46d3435971ad107d3012c2722  2009.0/x86_64/tomcat5-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm 
 78f469b9bdf9461e9dd423fa51a00fbb  2009.0/SRPMS/tomcat5-5.5.27-0.3.0.4mdv2009.0.src.rpm

MES5 i586

 bd71ae4141fbf5a884cfbccc756c8329  mes5/i586/tomcat5-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 75b8764895d7b231901602dd0605f2e2  mes5/i586/tomcat5-admin-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 6c827ad66b01560b72c5a8c96616afaa  mes5/i586/tomcat5-common-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 1a2155333c323146ef3e1fbdeae96035  mes5/i586/tomcat5-jasper-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 554ec541f6857a7946a6fae67c0a2fa6  mes5/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 10b54ca8ebefcd816bade65dae8e408b  mes5/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 8a12958fd3040ca0f4ce23bb7a3a1bdf  mes5/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 320881d8a847077fc8a7d70d7d0e0a02  mes5/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 8ab623786a3479dc5e990b9949a13502  mes5/i586/tomcat5-server-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 d4c53039181b378a3da1016c137ad843  mes5/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 52922ac7e5b4c1a7356d5248cf264a1d  mes5/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 6cf03c3b0981031f6bf7b8710990bcb0  mes5/i586/tomcat5-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm 
 a4f9e4804454f2d628865ad654d6a188  mes5/SRPMS/tomcat5-5.5.27-0.3.0.4mdvmes5.1.src.rpm

2010.0 x86_64

 c4999736e1bc0c9a5a97d594cee65c1c  2010.0/x86_64/tomcat5-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 6b1e3d535d54b0be9e2ae5d1097ccada  2010.0/x86_64/tomcat5-admin-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 8b312a00888405017f0a569a941ef886  2010.0/x86_64/tomcat5-common-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 2418f2e08935a6f0992b092a4bffecc8  2010.0/x86_64/tomcat5-jasper-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 83a682d9a8f037101b9551cd78a016c6  2010.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 bb1adfd0118f39da9a5b3f65ae84e62f  2010.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 4a98e6b4fc7d0f857fc992b939d842ad  2010.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 4037dc8df08254a5c8e93313221a7514  2010.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 1c1a706e810c6cd0c063d84b0522585a  2010.0/x86_64/tomcat5-server-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 62bc24195dda4032d33bb206031bd037  2010.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 c3bb0d7222dbc10f3d14a95ca8a79644  2010.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 a300b02d11c66be9c4b7025a16db508d  2010.0/x86_64/tomcat5-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm 
 3e8072e942561408d7c33bd24517b4c9  2010.0/SRPMS/tomcat5-5.5.27-0.5.0.2mdv2010.0.src.rpm

2010.1 i586

 5bdb48aeda19057db32a64589eacd82a  2010.1/i586/tomcat5-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 96ecbc6c012122bf2e11e500c6402205  2010.1/i586/tomcat5-admin-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 a176c1651cc2d08ed8510c01622d5176  2010.1/i586/tomcat5-common-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 9240df47c808e342c5bc6dcd910d85f5  2010.1/i586/tomcat5-jasper-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 6f46c2c619ec79ec43783efcf7e908c2  2010.1/i586/tomcat5-jasper-eclipse-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 133a8b24ec4aa7662c0145ff5303beca  2010.1/i586/tomcat5-jasper-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 97eaf631f481c6431c7439755e33fde5  2010.1/i586/tomcat5-jsp-2.0-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 794935023c7630d13a887b474b78bb7e  2010.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 ce72eb40ddf157064e8926eb58e2740b  2010.1/i586/tomcat5-server-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 84f3460a32131aef7f663ea2c5981859  2010.1/i586/tomcat5-servlet-2.4-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 f04fe3121f8b1cf579f0cc92099c364a  2010.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 ec6163a7e1ee720c01f86b7070ae1a5d  2010.1/i586/tomcat5-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm 
 e480656f0abde41f97e478151a7fc71f  2010.1/SRPMS/tomcat5-5.5.28-0.5.0.2mdv2010.2.src.rpm

2010.0 i586

 39e1b0164f00a89b96865243916eccb6  2010.0/i586/tomcat5-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 b406cccf6e7886b5c47de22ecc82088d  2010.0/i586/tomcat5-admin-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 b5c3e735cec844c1a7c1206c78a6af51  2010.0/i586/tomcat5-common-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 0561c5ba6f593f8cb21d6433b31bbdf0  2010.0/i586/tomcat5-jasper-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 c3d3ed8727164b1542b08cc35b74eeb3  2010.0/i586/tomcat5-jasper-eclipse-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 137b051b6fa4a159098151aed959d4b8  2010.0/i586/tomcat5-jasper-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 fb2d81779b9a6701f935b69c72dfd1a2  2010.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 247083e1e461555c064c57fb22293eb4  2010.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 1eb783fc2a5fd77fc04327f103f3e924  2010.0/i586/tomcat5-server-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 ff93f3807ad38a6f3efd3b755e4b8a9c  2010.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 63293aef2e275ccf3c5dca5ab69b1a5b  2010.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 5295cf4e876b552468657fd61eff83af  2010.0/i586/tomcat5-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm 
 3e8072e942561408d7c33bd24517b4c9  2010.0/SRPMS/tomcat5-5.5.27-0.5.0.2mdv2010.0.src.rpm

2009.0 i586

 4acc23d840bdd74a8a2a27717c57f813  2009.0/i586/tomcat5-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 d901fdb0a4995bf9eb2870b3c9a1d249  2009.0/i586/tomcat5-admin-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 ae34366f41b039c6e53631b185547a7b  2009.0/i586/tomcat5-common-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 ade05ceda9f2ae4fb342e7ef5df474e2  2009.0/i586/tomcat5-jasper-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 51fab09365486ad60ed686935c1c7511  2009.0/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 5f1fc1ea7c38546a38a04000cdf9212a  2009.0/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 bddc26db0a0e9aea3223927566b11442  2009.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 effd51cb30b8d2bb5f12a3a0507b1260  2009.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 e71a36bd07ad8f241104e0e322900d55  2009.0/i586/tomcat5-server-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 fc68ce165e49fa63529cda996f9e7e6f  2009.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 aa8f7e5205aa734f94661d2e1d87cf03  2009.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 09488edfcc731340c51322540e050445  2009.0/i586/tomcat5-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm 
 78f469b9bdf9461e9dd423fa51a00fbb  2009.0/SRPMS/tomcat5-5.5.27-0.3.0.4mdv2009.0.src.rpm

MES5 x86_64

 20eee581278206c28db4e304a6756671  mes5/x86_64/tomcat5-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 d6b1d88885c03c36a84dd7703bb82bbb  mes5/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 a04900de513cbaf5359b41b1df0e9ff3  mes5/x86_64/tomcat5-common-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 c58d2e125e9c2e4de256224d64cf1d46  mes5/x86_64/tomcat5-jasper-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 7612d8a28f5e008405a282ceb265a769  mes5/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 0796bfcd6e042c1128426bb47aae03d5  mes5/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 2ccd09878fd1f3ef8e4846864bd2f71e  mes5/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 1b94570c1a5913fd0eefbcbee71afdc8  mes5/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 ca2608f81795ff805e34e7316799a6a7  mes5/x86_64/tomcat5-server-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 37d677648216a2d5577db95f0ab9f194  mes5/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 42077f152ee121ed61cda754200f8902  mes5/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 75657b92a4a6d94e27c3188653cad41e  mes5/x86_64/tomcat5-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm 
 a4f9e4804454f2d628865ad654d6a188  mes5/SRPMS/tomcat5-5.5.27-0.3.0.4mdvmes5.1.src.rpm

2010.1 x86_64

 405ff9248913717a0249614e3ccdeff4  2010.1/x86_64/tomcat5-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 0500f420f913cac42c8c2398182e0b8d  2010.1/x86_64/tomcat5-admin-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 f796e84a6cf4dac452eaaec03b819c97  2010.1/x86_64/tomcat5-common-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 3e25bb28dc6c08b2dcbd1a272d01eaec  2010.1/x86_64/tomcat5-jasper-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 07e577e2fbc57e40b944478449715240  2010.1/x86_64/tomcat5-jasper-eclipse-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 1e688aca310915303d257abaa0c55099  2010.1/x86_64/tomcat5-jasper-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 631f812a7a32013ba301cecbeb23163d  2010.1/x86_64/tomcat5-jsp-2.0-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 5970e0221d6d5386f04316b6805c6bfc  2010.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 f64a8611f668cd19bafb0a8884c3b998  2010.1/x86_64/tomcat5-server-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 ba19195b485e4468780f36010c5215b5  2010.1/x86_64/tomcat5-servlet-2.4-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 e241ad2d2ea43d6515b61a256fdbc61e  2010.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 15718f212c8d29bdbaac81ab40afbd2a  2010.1/x86_64/tomcat5-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm 
 e480656f0abde41f97e478151a7fc71f  2010.1/SRPMS/tomcat5-5.5.28-0.5.0.2mdv2010.2.src.rpm

References