Login


 
Newsletter
Werbung
Sicherheit: Mehrere Probleme in tomcat
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in tomcat
ID: FEDORA-2012-20151
Distribution: Fedora
Plattformen: Fedora 16
Datum: Mi, 19. Dezember 2012, 11:08
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4534

Originalnachricht

Name        : tomcat
Product : Fedora 16
Version : 7.0.33
Release : 1.fc16
URL : http://tomcat.apache.org/
Summary : Apache Servlet/JSP Engine, RI for Servlet 3.0/JSP 2.2 API
Description :
Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

-------------------------------------------------------------------------------
-
Update Information:

- Updated to 7.0.33
- Resolves: rhbz 873620 need chkconfig for update-alternatives
- Resolves: rhbz 883676,883691,883704,873707 fix several security issues
- Resolves: rhbz 883806 refix logdir ownership
- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp
-------------------------------------------------------------------------------
-
ChangeLog:

* Thu Dec 6 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.33-1
- Updated to 7.0.33
- Resolves: rhbz 873620 need chkconfig for update-alternatives
- Resolves: rhbz 873707 fix several security issues
- Resolves: rhbz 883806 refix logdir ownership
- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp
* Tue Apr 10 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.27-2
- Fixed tomcat-native download
* Sat Apr 7 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.27-1
- Updated to 7.0.27
- Fixed jakarta-taglibs-standard BR and R
* Wed Feb 22 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.26-1
- Updated to 7.0.26
- Bug 790334: Change ownership of logdir for logrotate
* Thu Feb 16 2012 Krzysztof Daniel <kdaniel@redhat.com> 0:7.0.25-3
- Bug 790694: Priorities of jsp, servlet and el packages updated.
* Sun Jan 22 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.25-2
- Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass
correctly
* Sat Jan 21 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.25-1
- Updated to 7.0.25
- Removed EntityResolver patch (changes already in upstream sources)
- Place poms and depmaps in the same package as jars
- Added javax.servlet.descriptor to export-package of servlet-api
- Move several chkconfig actions and reqs to systemv subpackage
- New maven depmaps generation method
- Add patch to support java7. (patch sent upstream).
- Require java >= 1:1.6.0
* Fri Jan 13 2012 Krzysztof Daniel <kdaniel@redhat.com> 0:7.0.23-5
- Exported javax.servlet.* packages in version 3.0 as 2.6 to make
servlet-api compatible with Eclipse.
* Thu Jan 12 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-4
- Move jsvc support to subpackage
* Wed Jan 11 2012 Alexander Kurtakov <akurtako@redhat.com> 0:7.0.23-2
- Add EntityResolver setter patch to jasper for jetty's need. (patch sent
upstream).
* Mon Dec 12 2011 Joseph D. Wagner <joe@josephdwagner.info> 0:7.0.23-3
- Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for
starting tomcat with jsvc, which allows tomcat to perform some
privileged operations (e.g. bind to a port < 1024) and then switch
identity to a non-privileged user. Must add USE_JSVC="true" to
/etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.
* Mon Nov 28 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-1
- Updated to 7.0.23
* Fri Nov 11 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.22-2
- Move tomcat-juli.jar to lib package
- Drop %update_maven_depmap as in tomcat6
- Provide native systemd unit file ported from tomcat6
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #873664 - CVE-2012-3439 tomcat: three DIGEST authentication
implementation issues
https://bugzilla.redhat.com/show_bug.cgi?id=873664
[ 2 ] Bug #873695 - CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a
request with large headers
https://bugzilla.redhat.com/show_bug.cgi?id=873695
[ 3 ] Bug #883637 - CVE-2012-4534 Tomcat - Denial Of Service when using
NIO+SSL+sendfile
https://bugzilla.redhat.com/show_bug.cgi?id=883637
[ 4 ] Bug #883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF
prevention filter
https://bugzilla.redhat.com/show_bug.cgi?id=883636
[ 5 ] Bug #883634 - CVE-2012-3546 Tomcat/JBoss Web - Bypass of security
constraints
https://bugzilla.redhat.com/show_bug.cgi?id=883634
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update tomcat' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Frohe Ostern
Neue Nachrichten
Werbung