-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:138 http://www.mandriva.com/security/ _______________________________________________________________________ Package : tomcat5 Date : June 22, 2009 Affected: 2009.0, 2009.1 _______________________________________________________________________ Problem Description: Multiple security vulnerabilities has been identified and fixed in tomcat5: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request (CVE-2008-5515). Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header (CVE-2009-0033). Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter (CVE-2009-0580). The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective (CVE-2009-0781). Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application (CVE-2009-0783). The updated packages have been patched to prevent this. Additionally Apache Tomcat has been upgraded to the latest 5.5.27 version for 2009.0. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://tomcat.apache.org/security-5.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 428b187497b4978051c7a6c4eac7e7cd 2009.0/i586/tomcat5-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 892d104aaf4eba625b8aece097a761f8 2009.0/i586/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm a9c262792eb51f72602206ed582e201e 2009.0/i586/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 312008330d70b0a738dbdb447b1a7eb5 2009.0/i586/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 7faf9b111c77426d292251717ee6c921 2009.0/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 632784effce6d3c1488db67bf715bf5a 2009.0/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm b626e7ad47d127c84a5ab4e4e195cb23 2009.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 50dff9ec31232df9ed3a9a4ced2b308d 2009.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 9e52510bc62f27eb83c4a8518612c245 2009.0/i586/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm db73d8ff41b418c723a6ed0ef98873b3 2009.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm c8c8eb4f4f2d3a790c3f24f792741da4 2009.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 7e923ae7ac28655f2fbb2a5bf21f14cb 2009.0/i586/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 70b0daf5445d25ba28ca5c9faf35ab30 2009.0/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: adaf8aa38a56032c2af2b9e9a4d32f74 2009.0/x86_64/tomcat5-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 10ccca04d63fe432f1dfde1d68d37096 2009.0/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 4684a73eab871cdbb5944af43356292f 2009.0/x86_64/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 9a6a9b1f7814493f643ddd66558af448 2009.0/x86_64/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 7fca471aac6926e59cd51f5a259a4aff 2009.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 44081f3dd19e85300dfa01119ed42c3d 2009.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm aa92d9b64e7a499409cae4c426dbfa2a 2009.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 6dbf127680b58c3dbb318fcca1297e8e 2009.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm ac9fcec772e9cb2056b42f409be36bf9 2009.0/x86_64/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 56e0cfa45b4f7f01ba0b672df187ecb4 2009.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 4fbf140ef8760b63f8ae2a39fc665d96 2009.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 55b4425c6778e3633e4f4b054babaa37 2009.0/x86_64/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.0.noarch.rpm 70b0daf5445d25ba28ca5c9faf35ab30 2009.0/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 96440fed883e326b13985fe48321021d 2009.1/i586/tomcat5-5.5.27-0.3.0.1mdv2009.1.noarch.rpm d276901515b98ff3accfd120264d3a46 2009.1/i586/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm cb8b99f44074805b1a61225aed1235f4 2009.1/i586/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 3a7b3bca71fa7ef6fb784d7051c6736a 2009.1/i586/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.1.noarch.rpm f2c0ccd5bc3251ce3b4bab0c44e39ef9 2009.1/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 425fefca7c5277e645d5b7965b256fa6 2009.1/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm c0b635c6f12ed81b50ef8f302b1602f6 2009.1/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 616d65f3f9ced4f522f571f1ad6763b3 2009.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm f9a9d71056a52ebd033cf060fa6c4779 2009.1/i586/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm ad6fb637810872f1e0d7610e65f2b419 2009.1/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 546af1e050b27e018b80a1e51f1e0dd0 2009.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 73ebe6e6d30f04f18f2a6d2343e29d0c 2009.1/i586/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 2f973dcb1297bc0eb1fb4b60605431e7 2009.1/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: c933a3c0fe41915a27bce5b390ee0f1d 2009.1/x86_64/tomcat5-5.5.27-0.3.0.1mdv2009.1.noarch.rpm ff17d1526a1cc79c00bad9fb851eac83 2009.1/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm eb747524bb223902319e3394493bc4e9 2009.1/x86_64/tomcat5-common-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 8daa93141056351326e4ddc36f78f478 2009.1/x86_64/tomcat5-jasper-5.5.27-0.3.0.1mdv2009.1.noarch.rpm bfd83b39fd977b34ad0b7bd76c7e9bf9 2009.1/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.1mdv2009.1.noarch.rpm cb6b940efcfdb997cd4a9c99fc59b95f 2009.1/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 15eb4406c3c5b869040bcf3a9c9e9dc8 2009.1/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 4366ec41c3ad6a4c4fa8208b6df8df7a 2009.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 715ca3b9309e33f8b682fc36e4e3c2be 2009.1/x86_64/tomcat5-server-lib-5.5.27-0.3.0.1mdv2009.1.noarch.rpm a43b1b547a28f3204af8f348f3c16427 2009.1/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 555f6333bb95694eae748f4f454a55ee 2009.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 0843f1dcaf4b5615db0cfe60eb75c93c 2009.1/x86_64/tomcat5-webapps-5.5.27-0.3.0.1mdv2009.1.noarch.rpm 2f973dcb1297bc0eb1fb4b60605431e7 2009.1/SRPMS/tomcat5-5.5.27-0.3.0.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKQAfhmqjQ0CJFipgRAvTWAJ446uOYsHLI3v3Ox5vokMTwloJkGQCfYytw 1RTR84DBZcvJ/gx+TWxwdXU= =3KZb -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/