Sicherheit: Mehrere Probleme in Tomcat

Lesezeichen hinzufügen

--===============6093794699045554896==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature";
boundary="=-GomNUjC9iO58CEwuaQNS"

--=-GomNUjC9iO58CEwuaQNS
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1252-1
November 08, 2011

tomcat6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Tomcat could be made to crash or expose sensitive information over the
network.

Software Description:
- tomcat6: Servlet and JSP engine

Details:

It was discovered that Tomcat incorrectly implemented HTTP DIGEST
authentication. An attacker could use this flaw to perform a variety of
authentication attacks. (CVE-2011-1184)

Polina Genova discovered that Tomcat incorrectly created log entries with
passwords when encountering errors during JMX user creation. A local
attacker could possibly use this flaw to obtain sensitive information. This
issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-2204)

It was discovered that Tomcat incorrectly validated certain request
attributes when sendfile is enabled. A local attacker could bypass intended
restrictions, or cause the JVM to crash, resulting in a denial of service.
(CVE-2011-2526)

It was discovered that Tomcat incorrectly handled certain AJP requests. A
remote attacker could use this flaw to spoof requests, bypass
authentication, and obtain sensitive information. This issue only affected
Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-3190)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
libtomcat6-java 6.0.32-5ubuntu1.1

Ubuntu 11.04:
libtomcat6-java 6.0.28-10ubuntu2.2

Ubuntu 10.10:
libtomcat6-java 6.0.28-2ubuntu1.5

Ubuntu 10.04 LTS:
libtomcat6-java 6.0.24-2ubuntu1.9

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1252-1
CVE-2011-1184, CVE-2011-2204, CVE-2011-2526, CVE-2011-3190

Package Information:
https://launchpad.net/ubuntu/+source/tomcat6/6.0.32-5ubuntu1.1
https://launchpad.net/ubuntu/+source/tomcat6/6.0.28-10ubuntu2.2
https://launchpad.net/ubuntu/+source/tomcat6/6.0.28-2ubuntu1.5
https://launchpad.net/ubuntu/+source/tomcat6/6.0.24-2ubuntu1.9

--ÐomNUjC9iO58CEwuaQNS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJOuTO9AAoJEGVp2FWnRL6TQ5MP/iefRWBImtwLq4NMNquy7ScD
H1dOny7m5GQPt6NmIQIFEvY5J32qXxyvpRMS7d1hz+kVJu23fIxuhVXmZtByKdLD
Bg7r5pHYOErcw2r1jcfjkuHXbQKPvHos5D2OSLELh58vrTQGIXXEMITaC8pRDuPO
0AQ3s/+A57E6VxOqxteJ7gPNeBEbkODNtQM7OWx948V5EXJ6s4V/2IHctUeAQhah
1R5iksnHFvU3WyQlRHxoVoknWeWALG38cYEhkj/diS2y8dQfLAMNa0a1gODhB/nX
p6CyPQUsgWmBQDXtL1SJRPLCkak1iLAIspWseWyWrWHaMm29Tw7igivIBaO1nHb6
Y94lQLCqSd48XyOXluTMVpJncz0VdT0Te9CSvQiDl9XRB9y2ZPn+3H/cKFIlvOYZ
ooEM56y3ccY3kZHCHcc7dmtsEM7YFVUeypRN5uB00Gn8TgJpIsw7QojTWTLMmFZK
+FRI8zYTGTvbDoOGEUHQobMTAgOm/teEyU8eufgsluHwWL9H81J6xevjAt9gtJrL
iKpg4IoEIPWQOm68lkkjJGnxfcrAJvoxjtT3YlSvv41oweLACRQCUfhvKfzUJYWQ
igTfCy6v805RDpHDuF8Pm1J2KQR9zFXVOFasD+dKUA7d8V/E46jarrX3UQqHtEhV
OYU4Ssmp1hjvPCbFA91Y
=2ZSV
-----END PGP SIGNATURE-----

--=-GomNUjC9iO58CEwuaQNS--

--===============6093794699045554896==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============6093794699045554896==--