lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PqXaS-0005dy-F3@titan.mandriva.com>
Date: Fri, 18 Feb 2011 22:10:00 +0100
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2011:030 ] tomcat5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:030
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : tomcat5
 Date    : February 18, 2011
 Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in tomcat5:
 
 When running under a SecurityManager, access to the file system is
 limited but web applications are granted read/write permissions to
 the work directory. This directory is used for a variety of temporary
 files such as the intermediate files generated when compiling JSPs
 to Servlets. The location of the work directory is specified by
 a ServletContect attribute that is meant to be read-only to web
 applications. However, due to a coding error, the read-only setting
 was not applied. Therefore, a malicious web application may modify
 the attribute before Tomcat applies the file permissions. This can be
 used to grant read/write permissions to any area on the file system
 which a malicious web application may then take advantage of. This
 vulnerability is only applicable when hosting web applications from
 untrusted sources such as shared hosting environments (CVE-2010-3718).
 
 The HTML Manager interface displayed web applciation provided data,
 such as display names, without filtering. A malicious web application
 could trigger script execution by an administartive user when viewing
 the manager pages (CVE-2011-0013).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 4acc23d840bdd74a8a2a27717c57f813  2009.0/i586/tomcat5-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 d901fdb0a4995bf9eb2870b3c9a1d249  2009.0/i586/tomcat5-admin-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 ae34366f41b039c6e53631b185547a7b  2009.0/i586/tomcat5-common-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 ade05ceda9f2ae4fb342e7ef5df474e2  2009.0/i586/tomcat5-jasper-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 51fab09365486ad60ed686935c1c7511  2009.0/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 5f1fc1ea7c38546a38a04000cdf9212a  2009.0/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 bddc26db0a0e9aea3223927566b11442  2009.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 effd51cb30b8d2bb5f12a3a0507b1260  2009.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 e71a36bd07ad8f241104e0e322900d55  2009.0/i586/tomcat5-server-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 fc68ce165e49fa63529cda996f9e7e6f  2009.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 aa8f7e5205aa734f94661d2e1d87cf03  2009.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 09488edfcc731340c51322540e050445  2009.0/i586/tomcat5-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm 
 78f469b9bdf9461e9dd423fa51a00fbb  2009.0/SRPMS/tomcat5-5.5.27-0.3.0.4mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 7f3a9c9a0f48012967fece5d682cc344  2009.0/x86_64/tomcat5-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 3151ab51c99456cf46095557b421a47d  2009.0/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 4312fccb593f577b34a77363c140460b  2009.0/x86_64/tomcat5-common-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 04580ac069d37ea7ce1223f744dd63bf  2009.0/x86_64/tomcat5-jasper-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 adf6a50a74e425cd579d4c76fe518f88  2009.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 be1cdc23f0f7a115835062c6dd22f68e  2009.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 827ce79fb2c78c7cd5e2b9ed74e60564  2009.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 5ad827a665ee9a6b20d1e771ada0922a  2009.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 1133aad0b9a2715bbea40e925f065f0e  2009.0/x86_64/tomcat5-server-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 734a3311954704b8d31c134c204273f3  2009.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 e61e4817d3fe00bca326b7d078d38cc1  2009.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
 4f37e8f46d3435971ad107d3012c2722  2009.0/x86_64/tomcat5-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm 
 78f469b9bdf9461e9dd423fa51a00fbb  2009.0/SRPMS/tomcat5-5.5.27-0.3.0.4mdv2009.0.src.rpm

 Mandriva Linux 2010.0:
 39e1b0164f00a89b96865243916eccb6  2010.0/i586/tomcat5-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 b406cccf6e7886b5c47de22ecc82088d  2010.0/i586/tomcat5-admin-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 b5c3e735cec844c1a7c1206c78a6af51  2010.0/i586/tomcat5-common-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 0561c5ba6f593f8cb21d6433b31bbdf0  2010.0/i586/tomcat5-jasper-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 c3d3ed8727164b1542b08cc35b74eeb3  2010.0/i586/tomcat5-jasper-eclipse-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 137b051b6fa4a159098151aed959d4b8  2010.0/i586/tomcat5-jasper-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 fb2d81779b9a6701f935b69c72dfd1a2  2010.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 247083e1e461555c064c57fb22293eb4  2010.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 1eb783fc2a5fd77fc04327f103f3e924  2010.0/i586/tomcat5-server-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 ff93f3807ad38a6f3efd3b755e4b8a9c  2010.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 63293aef2e275ccf3c5dca5ab69b1a5b  2010.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 5295cf4e876b552468657fd61eff83af  2010.0/i586/tomcat5-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm 
 3e8072e942561408d7c33bd24517b4c9  2010.0/SRPMS/tomcat5-5.5.27-0.5.0.2mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 c4999736e1bc0c9a5a97d594cee65c1c  2010.0/x86_64/tomcat5-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 6b1e3d535d54b0be9e2ae5d1097ccada  2010.0/x86_64/tomcat5-admin-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 8b312a00888405017f0a569a941ef886  2010.0/x86_64/tomcat5-common-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 2418f2e08935a6f0992b092a4bffecc8  2010.0/x86_64/tomcat5-jasper-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 83a682d9a8f037101b9551cd78a016c6  2010.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 bb1adfd0118f39da9a5b3f65ae84e62f  2010.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 4a98e6b4fc7d0f857fc992b939d842ad  2010.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 4037dc8df08254a5c8e93313221a7514  2010.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 1c1a706e810c6cd0c063d84b0522585a  2010.0/x86_64/tomcat5-server-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 62bc24195dda4032d33bb206031bd037  2010.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 c3bb0d7222dbc10f3d14a95ca8a79644  2010.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
 a300b02d11c66be9c4b7025a16db508d  2010.0/x86_64/tomcat5-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm 
 3e8072e942561408d7c33bd24517b4c9  2010.0/SRPMS/tomcat5-5.5.27-0.5.0.2mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 5bdb48aeda19057db32a64589eacd82a  2010.1/i586/tomcat5-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 96ecbc6c012122bf2e11e500c6402205  2010.1/i586/tomcat5-admin-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 a176c1651cc2d08ed8510c01622d5176  2010.1/i586/tomcat5-common-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 9240df47c808e342c5bc6dcd910d85f5  2010.1/i586/tomcat5-jasper-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 6f46c2c619ec79ec43783efcf7e908c2  2010.1/i586/tomcat5-jasper-eclipse-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 133a8b24ec4aa7662c0145ff5303beca  2010.1/i586/tomcat5-jasper-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 97eaf631f481c6431c7439755e33fde5  2010.1/i586/tomcat5-jsp-2.0-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 794935023c7630d13a887b474b78bb7e  2010.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 ce72eb40ddf157064e8926eb58e2740b  2010.1/i586/tomcat5-server-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 84f3460a32131aef7f663ea2c5981859  2010.1/i586/tomcat5-servlet-2.4-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 f04fe3121f8b1cf579f0cc92099c364a  2010.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 ec6163a7e1ee720c01f86b7070ae1a5d  2010.1/i586/tomcat5-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm 
 e480656f0abde41f97e478151a7fc71f  2010.1/SRPMS/tomcat5-5.5.28-0.5.0.2mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 405ff9248913717a0249614e3ccdeff4  2010.1/x86_64/tomcat5-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 0500f420f913cac42c8c2398182e0b8d  2010.1/x86_64/tomcat5-admin-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 f796e84a6cf4dac452eaaec03b819c97  2010.1/x86_64/tomcat5-common-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 3e25bb28dc6c08b2dcbd1a272d01eaec  2010.1/x86_64/tomcat5-jasper-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 07e577e2fbc57e40b944478449715240  2010.1/x86_64/tomcat5-jasper-eclipse-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 1e688aca310915303d257abaa0c55099  2010.1/x86_64/tomcat5-jasper-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 631f812a7a32013ba301cecbeb23163d  2010.1/x86_64/tomcat5-jsp-2.0-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 5970e0221d6d5386f04316b6805c6bfc  2010.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 f64a8611f668cd19bafb0a8884c3b998  2010.1/x86_64/tomcat5-server-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 ba19195b485e4468780f36010c5215b5  2010.1/x86_64/tomcat5-servlet-2.4-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 e241ad2d2ea43d6515b61a256fdbc61e  2010.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
 15718f212c8d29bdbaac81ab40afbd2a  2010.1/x86_64/tomcat5-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm 
 e480656f0abde41f97e478151a7fc71f  2010.1/SRPMS/tomcat5-5.5.28-0.5.0.2mdv2010.2.src.rpm

 Mandriva Enterprise Server 5:
 bd71ae4141fbf5a884cfbccc756c8329  mes5/i586/tomcat5-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 75b8764895d7b231901602dd0605f2e2  mes5/i586/tomcat5-admin-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 6c827ad66b01560b72c5a8c96616afaa  mes5/i586/tomcat5-common-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 1a2155333c323146ef3e1fbdeae96035  mes5/i586/tomcat5-jasper-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 554ec541f6857a7946a6fae67c0a2fa6  mes5/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 10b54ca8ebefcd816bade65dae8e408b  mes5/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 8a12958fd3040ca0f4ce23bb7a3a1bdf  mes5/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 320881d8a847077fc8a7d70d7d0e0a02  mes5/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 8ab623786a3479dc5e990b9949a13502  mes5/i586/tomcat5-server-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 d4c53039181b378a3da1016c137ad843  mes5/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 52922ac7e5b4c1a7356d5248cf264a1d  mes5/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 6cf03c3b0981031f6bf7b8710990bcb0  mes5/i586/tomcat5-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm 
 a4f9e4804454f2d628865ad654d6a188  mes5/SRPMS/tomcat5-5.5.27-0.3.0.4mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 20eee581278206c28db4e304a6756671  mes5/x86_64/tomcat5-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 d6b1d88885c03c36a84dd7703bb82bbb  mes5/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 a04900de513cbaf5359b41b1df0e9ff3  mes5/x86_64/tomcat5-common-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 c58d2e125e9c2e4de256224d64cf1d46  mes5/x86_64/tomcat5-jasper-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 7612d8a28f5e008405a282ceb265a769  mes5/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 0796bfcd6e042c1128426bb47aae03d5  mes5/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 2ccd09878fd1f3ef8e4846864bd2f71e  mes5/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 1b94570c1a5913fd0eefbcbee71afdc8  mes5/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 ca2608f81795ff805e34e7316799a6a7  mes5/x86_64/tomcat5-server-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 37d677648216a2d5577db95f0ab9f194  mes5/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 42077f152ee121ed61cda754200f8902  mes5/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
 75657b92a4a6d94e27c3188653cad41e  mes5/x86_64/tomcat5-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm 
 a4f9e4804454f2d628865ad654d6a188  mes5/SRPMS/tomcat5-5.5.27-0.3.0.4mdvmes5.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNXrAVmqjQ0CJFipgRAjIfAJ4yL+76n74D2G8gpFyNCGQ4s6+6GACglNTw
j0b0pCkznIMqccTMYR+zW5E=
=KGzB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ