This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCFF56D7A3C2951058ED46C5B Content-Type: text/plain; charset=ISO-8859- Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: Apache Tomcat: Multiple vulnerabilities Date: June 24, 2012 Bugs: #272566, #273662, #303719, #320963, #329937, #373987, #374619, #382043, #386213, #396401, #399227 ID: 201206-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Multiple vulnerabilities were found in Apache Tomcat, the worst of which allowing to read, modify and overwrite arbitrary files.
Background ==========
Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/tomcat *< 5.5.34 *>= 6.0.35 *< 6.0.35 >= 7.0.23 < 7.0.23
Description ===========
Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details.
Impact ======
The vulnerabilities allow an attacker to cause a Denial of Service, to hijack a session, to bypass authentication, to inject webscript, to enumerate valid usernames, to read, modify and overwrite arbitrary files, to bypass intended access restrictions, to delete work-directory files, to discover the server's hostname or IP, to bypass read permissions for files or HTTP headers, to read or write files outside of the intended working directory, and to obtain sensitive information by reading a log file.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All Apache Tomcat 6.0.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.35"
All Apache Tomcat 7.0.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.23"
References ==========
[ 1 ] CVE-2008-5515 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5515 [ 2 ] CVE-2009-0033 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0033 [ 3 ] CVE-2009-0580 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0580 [ 4 ] CVE-2009-0781 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0781 [ 5 ] CVE-2009-0783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0783 [ 6 ] CVE-2009-2693 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2693 [ 7 ] CVE-2009-2901 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2901 [ 8 ] CVE-2009-2902 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2902 [ 9 ] CVE-2010-1157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1157 [ 10 ] CVE-2010-2227 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2227 [ 11 ] CVE-2010-3718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3718 [ 12 ] CVE-2010-4172 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4172 [ 13 ] CVE-2010-4312 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4312 [ 14 ] CVE-2011-0013 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0013 [ 15 ] CVE-2011-0534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0534 [ 16 ] CVE-2011-1088 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1088 [ 17 ] CVE-2011-1183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1183 [ 18 ] CVE-2011-1184 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1184 [ 19 ] CVE-2011-1419 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1419 [ 20 ] CVE-2011-1475 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1475 [ 21 ] CVE-2011-1582 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1582 [ 22 ] CVE-2011-2204 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2204 [ 23 ] CVE-2011-2481 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2481 [ 24 ] CVE-2011-2526 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2526 [ 25 ] CVE-2011-2729 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2729 [ 26 ] CVE-2011-3190 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3190 [ 27 ] CVE-2011-3375 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3375 [ 28 ] CVE-2011-4858 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4858 [ 29 ] CVE-2011-5062 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5062 [ 30 ] CVE-2011-5063 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5063 [ 31 ] CVE-2011-5064 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5064 [ 32 ] CVE-2012-0022 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0022
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-24.xml
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =======
Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--------------enigCFF56D7A3C2951058ED46C5B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJP5ycUAAoJEByNLmvcM7DuI84QAKnAB+xpDWEYzz0c8C+wiS8x Z0/dhtnMDF6MYMC4uDLwljcbPd4XtIB3wBYcrhhDlACzmzrNSQeTUlc+LiVXqZRN WnFLy+R2NeT2yuN3sBy2lY5pOaF8lJuXKpL5fOZ5Phv+3dm9rJsbkpGQ3xoBX4JF KyKj/rStYKfxmI+C4gm+XyLGFf7K8y5phsT7hqUCCaeTFb3tRFSAd2qGp+3VE6Vs 58a1hjlFbdk0ruBkpQP96zyRhqRJ3eAn/3dD0gGQsGqphDAvMcjfNI2XdNY3gk4C YuX8OJs7j3mh5Fs5Kyw5DGrzzETGtH5+vV124zl0kYrdmz1uFn5Ykn92ooZPqbpW 7AfJX/VFzD/cS0FXdlkynlAow3SWNsbn7eXFWogcQZoploTR+7K7PC9IoffOnbP6 kN5yAtePiCrFjJMVkQVcmfC/QOnZCj41Vm49Oz2HqT8jf/iHnkY3mOO6Fn8XjnRY Nqyx7HnbEKyY7wfcNL3+dspsy16RLp0qnQQ18takjvAXyAguP8jsCUr5hJZNGql4 2SxofANJxyYF53KLn5xxVVUspBoeIJ2KP9muJcWigTHNTiQGUHLzGwKw8pxojqE2 IzgEjYqE3PIrHGh/MafawZhLFLEvNnZHmFhy1B+QpJBQAmgLGu+t20gkdmp4PD0l gFNphSq8Ymq8/o/arZVa =RaQy -----END PGP SIGNATURE-----
--------------enigCFF56D7A3C2951058ED46C5B--
|