drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in tomcat
Name: |
Mehrere Probleme in tomcat |
|
ID: |
RHSA-2007:0871-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Enterprise Linux |
|
Datum: |
Mi, 26. September 2007, 10:36 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386
http://tomcat.apache.org/security-5.html |
|
Applikationen: |
Apache Tomcat |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --------------------------------------------------------------------- Red Hat Security Advisory
Synopsis: Moderate: tomcat security update Advisory ID: RHSA-2007:0871-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0871.html Issue date: 2007-09-26 Updated on: 2007-09-26 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 - ---------------------------------------------------------------------
1. Summary:
Updated tomcat packages that fix several security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
3. Problem description:
Tomcat is a servlet container for Java Servlet and Java Server Pages technologies.
Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382).
It was reported Tomcat did not properly handle the following character sequence in a cookie: \" (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385).
A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386).
Users of Tomcat should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
4. Solution:
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
247972 - CVE-2007-3382 tomcat handling of cookies 247976 - CVE-2007-3385 tomcat handling of cookie values 247994 - CVE-2007-3386 tomcat host manager xss
6. RPMs required:
Red Hat Enterprise Linux Desktop (v. 5 client):
SRPMS: tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm 4cd5017f99a44689fd97bfaddb4d1e49 tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm
i386: c0dc6d1800b59c9bfc34a23b8d646af6 tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.i386.rpm 226f3d1465041197fc02615be82163fb tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.i386.rpm deb113e7d216237760505d9780b73a76 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.i386.rpm
x86_64: 23d7a2a5d67055d37f27bef5503fee7b tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.x86_64.rpm fe8527d96dc984611e17982a0dfce68b tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm c831207357291c3dd091964e9aa49ebc tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
SRPMS: tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm 4cd5017f99a44689fd97bfaddb4d1e49 tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm
i386: 7d71ed89d94341f41b171293ad013d6b tomcat5-5.5.23-0jpp.3.0.2.el5.i386.rpm f0cfcd9ec14bf30223576796c3d86254 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm c8ab874847b19faec830f6d002ef5700 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm c0dc6d1800b59c9bfc34a23b8d646af6 tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.i386.rpm b128c5e933557b9e90aa7cb71ad86f72 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.i386.rpm 7166ea7ab11411ba0d0adf715657ac89 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 34159a09da8641ba7d7a61335b9a3685 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm ec84df22f55b68f172123dfb39680230 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm 4d9285f3236fb71cc4f1595cdaceb2c0 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 14685a050088e338be428d4b315bed15 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm
x86_64: 9a0875239aee9d021c8d4a56b42bb2a6 tomcat5-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 11619162c8e0adc036756a7ac03ce559 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm d95026b2750fff774772c44a57f74792 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 23d7a2a5d67055d37f27bef5503fee7b tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9d3ddc4acf0c2ab389488f735aadf345 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 3f2f6100623f9acb18d990fc52d9aa82 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1b51651253a8fe556bba1ddc565147f0 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 86702ce51dbe4da513827d49758858d9 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1be1106c350b4f834c5959e144cbfdb5 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9ce3022090cc5cc036bec3f2edf75f49 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
SRPMS: tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm 4cd5017f99a44689fd97bfaddb4d1e49 tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm
i386: 7d71ed89d94341f41b171293ad013d6b tomcat5-5.5.23-0jpp.3.0.2.el5.i386.rpm f0cfcd9ec14bf30223576796c3d86254 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm c8ab874847b19faec830f6d002ef5700 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm c0dc6d1800b59c9bfc34a23b8d646af6 tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.i386.rpm b128c5e933557b9e90aa7cb71ad86f72 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.i386.rpm 7166ea7ab11411ba0d0adf715657ac89 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 226f3d1465041197fc02615be82163fb tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.i386.rpm 34159a09da8641ba7d7a61335b9a3685 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm ec84df22f55b68f172123dfb39680230 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm deb113e7d216237760505d9780b73a76 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.i386.rpm 4d9285f3236fb71cc4f1595cdaceb2c0 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 14685a050088e338be428d4b315bed15 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm
ia64: d1243dc5b592ce4c5058abba7d315345 tomcat5-5.5.23-0jpp.3.0.2.el5.ia64.rpm a2cf1700b014cec10c29031a0bb543cf tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.ia64.rpm f7c35060c547b32906d0152513198f52 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.ia64.rpm 924aa06a7a426e77c9376cecf05833d1 tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.ia64.rpm d3ebf74a70ed5e96600beca2cbc619d9 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.ia64.rpm 678a8878ac383ec4b1d30f1e19623520 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm c15745c6040cf2c3f3f7ba9de185654d tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.ia64.rpm d9597bc0b803984b99ffefbdb631a9d0 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm 95526b81e80b1ed513e399279901bfc5 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.ia64.rpm e237eff013f4913f67709b0b27e90d6b tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.ia64.rpm 9543decf3e658d3bbcdf22a9ed151f87 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm 5d19ef46e5fc9b59f382c63160dd3c59 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.ia64.rpm
ppc: d2113dd83880307a85683247a02eb3a0 tomcat5-5.5.23-0jpp.3.0.2.el5.ppc.rpm 1befc45ebca6fcebdde8ea58255592db tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.ppc.rpm 661cb595807b4be529c5fee444f53f73 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.ppc.rpm 6fdf9f17f925f504dfa76ac6a53a2b89 tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.ppc.rpm af2381512f812c196346fcfcedccc599 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.ppc.rpm 0a5499eea93ae7230728764d6f5433c9 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm 39d4dbd2ffcdafe5595c8fcba0d36c82 tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.ppc.rpm 916fb1dedfc9f27e67c722d872e019d8 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm f0a5fe0ea04ff15df8e1488e2e337606 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.ppc.rpm 6ebdac439d0d3f640ee6bae5eb7d0db0 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.ppc.rpm de8148bb55edd17fd09dda369b2b5621 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm d4c08ad82261464da948463712f7362d tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.ppc.rpm
s390x: c594c99a882748d4c8a6a26542fb5214 tomcat5-5.5.23-0jpp.3.0.2.el5.s390x.rpm 3fc2ddbb8cfd1b570b85ec2bcbbd1684 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.s390x.rpm 5c0178460eaade94169af229a57c6764 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.s390x.rpm bc8c2924826f432f1b39df050a775429 tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.s390x.rpm 85590df0cf18b16e41309da3382bb5ff tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.s390x.rpm 74a06cfefa4d31dc17d5d9f4fa71f345 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm 2cbeb5dfc8464099c090434b8c5a8e0b tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.s390x.rpm fa035a0f0cd0b80a1e866c0e7c35899f tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm 8cb6883fa810bc4ad606724209f0bc15 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.s390x.rpm 474dfcf43451a02d422506d8a12876a5 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.s390x.rpm fedb0523b1a126613ca04fce2674546c tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm e9402bc61b20745f61ffed678af844f5 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.s390x.rpm
x86_64: 9a0875239aee9d021c8d4a56b42bb2a6 tomcat5-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 11619162c8e0adc036756a7ac03ce559 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm d95026b2750fff774772c44a57f74792 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 23d7a2a5d67055d37f27bef5503fee7b tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9d3ddc4acf0c2ab389488f735aadf345 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 3f2f6100623f9acb18d990fc52d9aa82 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm fe8527d96dc984611e17982a0dfce68b tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1b51651253a8fe556bba1ddc565147f0 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 86702ce51dbe4da513827d49758858d9 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm c831207357291c3dd091964e9aa49ebc tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1be1106c350b4f834c5959e144cbfdb5 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9ce3022090cc5cc036bec3f2edf75f49 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 http://tomcat.apache.org/security-5.html http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFG+hmLXlSAg2UNWIIRAor1AKC2IOh5rvEQhEeMqlT224k06MdbFwCbBQFf kpfI6XAq4LI+Y1vN2vURuoQ= =RqY/ -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
|
|