Nom du paquet
tomcat5
Date
2013-01-10
Advisory ID
MDVSA-2013:004
Affected versions
MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilites has been found and corrected in tomcat5:

The replay-countermeasure functionality in the HTTP Digest Access
Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x
before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce)
values instead of nonce (aka server nonce) and nc (aka nonce-count)
values, which makes it easier for remote attackers to bypass intended
access restrictions by sniffing the network for valid requests,
a different vulnerability than CVE-2011-1184 (CVE-2012-5885).

The HTTP Digest Access Authentication implementation in Apache Tomcat
5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches
information about the authenticated user within the session state,
which makes it easier for remote attackers to bypass authentication
via vectors related to the session ID (CVE-2012-5886).

The HTTP Digest Access Authentication implementation in Apache Tomcat
5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not
properly check for stale nonce values in conjunction with enforcement
of proper credentials, which makes it easier for remote attackers
to bypass intended access restrictions by sniffing the network for
valid requests (CVE-2012-5887).

The updated packages have been patched to correct these issues.

Updated packages

MES5 i586

 935ea1aaf1d25f4456ba83ce99db63bc  mes5/i586/tomcat5-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 9844570f107eb192c8f2ea58192bb347  mes5/i586/tomcat5-admin-webapps-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 fd9368b9caf993e85d72b97fa53a6ca6  mes5/i586/tomcat5-common-lib-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 fca1d2dcaf9a512652ae60d24ef611ee  mes5/i586/tomcat5-jasper-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 6ed9a7677dd8e0d4e71aa3a7d9b2b885  mes5/i586/tomcat5-jasper-eclipse-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 7e879ad00c1c2c590782a09a68cd7b70  mes5/i586/tomcat5-jasper-javadoc-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 25c982ceb5a544c8aae91c9cceb4caf0  mes5/i586/tomcat5-jsp-2.0-api-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 6f20f6d3f60ff3eb6b133515e9541b3e  mes5/i586/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 fb80972b920d7b6b25b2d4e962a9d2ac  mes5/i586/tomcat5-server-lib-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 8b74bd76be82d12738e5b588d8df1cff  mes5/i586/tomcat5-servlet-2.4-api-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 e511972010d64177d2ba7ed454e8947e  mes5/i586/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 fce151e02613993c6ff149cbb82400fd  mes5/i586/tomcat5-webapps-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm 
 d1175cae7e2aec4e9383144d3aa8ea84  mes5/SRPMS/tomcat5-5.5.28-0.5.0.5mdvmes5.2.src.rpm

MES5 x86_64

 d38d7f51ae6f7e64807856b862c40b75  mes5/x86_64/tomcat5-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 f7d63f858748a708c10acd8546b02b05  mes5/x86_64/tomcat5-admin-webapps-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 ca98317313a6ffff9123f77c5001e3d6  mes5/x86_64/tomcat5-common-lib-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 e2be9cad2d7ed9d7af3845c2d0aa55f9  mes5/x86_64/tomcat5-jasper-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 19627cae9df7af23408d42a439089c59  mes5/x86_64/tomcat5-jasper-eclipse-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 8a901bd98ebab0d2cdecf5d1e92f524a  mes5/x86_64/tomcat5-jasper-javadoc-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 748e8d22caa1cca056f9dda523e64e62  mes5/x86_64/tomcat5-jsp-2.0-api-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 229b57db6d6664b53407b1b9a3995319  mes5/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 fd8bc83d41aa6ddabbb1097a9157c8e8  mes5/x86_64/tomcat5-server-lib-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 76ff8939382f1200a918b39677cd1de1  mes5/x86_64/tomcat5-servlet-2.4-api-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 5cb677220b4d423041c17aace76d31bd  mes5/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm
 4d87e7273290e1bbaa04903c31d00b24  mes5/x86_64/tomcat5-webapps-5.5.28-0.5.0.5mdvmes5.2.noarch.rpm 
 d1175cae7e2aec4e9383144d3aa8ea84  mes5/SRPMS/tomcat5-5.5.28-0.5.0.5mdvmes5.2.src.rpm

References