drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in tomcat
Name: |
Mehrere Probleme in tomcat |
|
ID: |
FEDORA-2012-20151 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 16 |
|
Datum: |
Mi, 19. Dezember 2012, 11:08 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4534 |
|
Applikationen: |
Apache Tomcat |
|
Originalnachricht |
Name : tomcat Product : Fedora 16 Version : 7.0.33 Release : 1.fc16 URL : http://tomcat.apache.org/ Summary : Apache Servlet/JSP Engine, RI for Servlet 3.0/JSP 2.2 API Description : Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.
Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world.
------------------------------------------------------------------------------- - Update Information:
- Updated to 7.0.33
- Resolves: rhbz 873620 need chkconfig for update-alternatives
- Resolves: rhbz 883676,883691,883704,873707 fix several security issues
- Resolves: rhbz 883806 refix logdir ownership
- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp ------------------------------------------------------------------------------- - ChangeLog:
* Thu Dec 6 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.33-1 - Updated to 7.0.33 - Resolves: rhbz 873620 need chkconfig for update-alternatives - Resolves: rhbz 873707 fix several security issues - Resolves: rhbz 883806 refix logdir ownership - Resolves: rhbz 820119 Remove bundled apache-commons-dbcp * Tue Apr 10 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.27-2 - Fixed tomcat-native download * Sat Apr 7 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.27-1 - Updated to 7.0.27 - Fixed jakarta-taglibs-standard BR and R * Wed Feb 22 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.26-1 - Updated to 7.0.26 - Bug 790334: Change ownership of logdir for logrotate * Thu Feb 16 2012 Krzysztof Daniel <kdaniel@redhat.com> 0:7.0.25-3 - Bug 790694: Priorities of jsp, servlet and el packages updated. * Sun Jan 22 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.25-2 - Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly * Sat Jan 21 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.25-1 - Updated to 7.0.25 - Removed EntityResolver patch (changes already in upstream sources) - Place poms and depmaps in the same package as jars - Added javax.servlet.descriptor to export-package of servlet-api - Move several chkconfig actions and reqs to systemv subpackage - New maven depmaps generation method - Add patch to support java7. (patch sent upstream). - Require java >= 1:1.6.0 * Fri Jan 13 2012 Krzysztof Daniel <kdaniel@redhat.com> 0:7.0.23-5 - Exported javax.servlet.* packages in version 3.0 as 2.6 to make servlet-api compatible with Eclipse. * Thu Jan 12 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-4 - Move jsvc support to subpackage * Wed Jan 11 2012 Alexander Kurtakov <akurtako@redhat.com> 0:7.0.23-2 - Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream). * Mon Dec 12 2011 Joseph D. Wagner <joe@josephdwagner.info> 0:7.0.23-3 - Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for starting tomcat with jsvc, which allows tomcat to perform some privileged operations (e.g. bind to a port < 1024) and then switch identity to a non-privileged user. Must add USE_JSVC="true" to /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat. * Mon Nov 28 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-1 - Updated to 7.0.23 * Fri Nov 11 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.22-2 - Move tomcat-juli.jar to lib package - Drop %update_maven_depmap as in tomcat6 - Provide native systemd unit file ported from tomcat6 ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #873664 - CVE-2012-3439 tomcat: three DIGEST authentication implementation issues https://bugzilla.redhat.com/show_bug.cgi?id=873664 [ 2 ] Bug #873695 - CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a request with large headers https://bugzilla.redhat.com/show_bug.cgi?id=873695 [ 3 ] Bug #883637 - CVE-2012-4534 Tomcat - Denial Of Service when using NIO+SSL+sendfile https://bugzilla.redhat.com/show_bug.cgi?id=883637 [ 4 ] Bug #883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter https://bugzilla.redhat.com/show_bug.cgi?id=883636 [ 5 ] Bug #883634 - CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints https://bugzilla.redhat.com/show_bug.cgi?id=883634 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update tomcat' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|