[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [ MDVSA-2011:030 ] tomcat5
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] [ MDVSA-2011:030 ] tomcat5
- From: security@xxxxxxxxxxxx
- Date: Fri, 18 Feb 2011 22:10:00 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:030
http://www.mandriva.com/security/
_______________________________________________________________________
Package : tomcat5
Date : February 18, 2011
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in tomcat5:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to
the work directory. This directory is used for a variety of temporary
files such as the intermediate files generated when compiling JSPs
to Servlets. The location of the work directory is specified by
a ServletContect attribute that is meant to be read-only to web
applications. However, due to a coding error, the read-only setting
was not applied. Therefore, a malicious web application may modify
the attribute before Tomcat applies the file permissions. This can be
used to grant read/write permissions to any area on the file system
which a malicious web application may then take advantage of. This
vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments (CVE-2010-3718).
The HTML Manager interface displayed web applciation provided data,
such as display names, without filtering. A malicious web application
could trigger script execution by an administartive user when viewing
the manager pages (CVE-2011-0013).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
4acc23d840bdd74a8a2a27717c57f813
2009.0/i586/tomcat5-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
d901fdb0a4995bf9eb2870b3c9a1d249
2009.0/i586/tomcat5-admin-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
ae34366f41b039c6e53631b185547a7b
2009.0/i586/tomcat5-common-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
ade05ceda9f2ae4fb342e7ef5df474e2
2009.0/i586/tomcat5-jasper-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
51fab09365486ad60ed686935c1c7511
2009.0/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
5f1fc1ea7c38546a38a04000cdf9212a
2009.0/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
bddc26db0a0e9aea3223927566b11442
2009.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
effd51cb30b8d2bb5f12a3a0507b1260
2009.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
e71a36bd07ad8f241104e0e322900d55
2009.0/i586/tomcat5-server-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
fc68ce165e49fa63529cda996f9e7e6f
2009.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
aa8f7e5205aa734f94661d2e1d87cf03
2009.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
09488edfcc731340c51322540e050445
2009.0/i586/tomcat5-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
78f469b9bdf9461e9dd423fa51a00fbb
2009.0/SRPMS/tomcat5-5.5.27-0.3.0.4mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
7f3a9c9a0f48012967fece5d682cc344
2009.0/x86_64/tomcat5-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
3151ab51c99456cf46095557b421a47d
2009.0/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
4312fccb593f577b34a77363c140460b
2009.0/x86_64/tomcat5-common-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
04580ac069d37ea7ce1223f744dd63bf
2009.0/x86_64/tomcat5-jasper-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
adf6a50a74e425cd579d4c76fe518f88
2009.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
be1cdc23f0f7a115835062c6dd22f68e
2009.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
827ce79fb2c78c7cd5e2b9ed74e60564
2009.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
5ad827a665ee9a6b20d1e771ada0922a
2009.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
1133aad0b9a2715bbea40e925f065f0e
2009.0/x86_64/tomcat5-server-lib-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
734a3311954704b8d31c134c204273f3
2009.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
e61e4817d3fe00bca326b7d078d38cc1
2009.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
4f37e8f46d3435971ad107d3012c2722
2009.0/x86_64/tomcat5-webapps-5.5.27-0.3.0.4mdv2009.0.noarch.rpm
78f469b9bdf9461e9dd423fa51a00fbb
2009.0/SRPMS/tomcat5-5.5.27-0.3.0.4mdv2009.0.src.rpm
Mandriva Linux 2010.0:
39e1b0164f00a89b96865243916eccb6
2010.0/i586/tomcat5-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
b406cccf6e7886b5c47de22ecc82088d
2010.0/i586/tomcat5-admin-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
b5c3e735cec844c1a7c1206c78a6af51
2010.0/i586/tomcat5-common-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
0561c5ba6f593f8cb21d6433b31bbdf0
2010.0/i586/tomcat5-jasper-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
c3d3ed8727164b1542b08cc35b74eeb3
2010.0/i586/tomcat5-jasper-eclipse-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
137b051b6fa4a159098151aed959d4b8
2010.0/i586/tomcat5-jasper-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
fb2d81779b9a6701f935b69c72dfd1a2
2010.0/i586/tomcat5-jsp-2.0-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
247083e1e461555c064c57fb22293eb4
2010.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
1eb783fc2a5fd77fc04327f103f3e924
2010.0/i586/tomcat5-server-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
ff93f3807ad38a6f3efd3b755e4b8a9c
2010.0/i586/tomcat5-servlet-2.4-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
63293aef2e275ccf3c5dca5ab69b1a5b
2010.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
5295cf4e876b552468657fd61eff83af
2010.0/i586/tomcat5-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
3e8072e942561408d7c33bd24517b4c9
2010.0/SRPMS/tomcat5-5.5.27-0.5.0.2mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
c4999736e1bc0c9a5a97d594cee65c1c
2010.0/x86_64/tomcat5-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
6b1e3d535d54b0be9e2ae5d1097ccada
2010.0/x86_64/tomcat5-admin-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
8b312a00888405017f0a569a941ef886
2010.0/x86_64/tomcat5-common-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
2418f2e08935a6f0992b092a4bffecc8
2010.0/x86_64/tomcat5-jasper-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
83a682d9a8f037101b9551cd78a016c6
2010.0/x86_64/tomcat5-jasper-eclipse-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
bb1adfd0118f39da9a5b3f65ae84e62f
2010.0/x86_64/tomcat5-jasper-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
4a98e6b4fc7d0f857fc992b939d842ad
2010.0/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
4037dc8df08254a5c8e93313221a7514
2010.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
1c1a706e810c6cd0c063d84b0522585a
2010.0/x86_64/tomcat5-server-lib-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
62bc24195dda4032d33bb206031bd037
2010.0/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
c3bb0d7222dbc10f3d14a95ca8a79644
2010.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
a300b02d11c66be9c4b7025a16db508d
2010.0/x86_64/tomcat5-webapps-5.5.27-0.5.0.2mdv2010.0.noarch.rpm
3e8072e942561408d7c33bd24517b4c9
2010.0/SRPMS/tomcat5-5.5.27-0.5.0.2mdv2010.0.src.rpm
Mandriva Linux 2010.1:
5bdb48aeda19057db32a64589eacd82a
2010.1/i586/tomcat5-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
96ecbc6c012122bf2e11e500c6402205
2010.1/i586/tomcat5-admin-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
a176c1651cc2d08ed8510c01622d5176
2010.1/i586/tomcat5-common-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
9240df47c808e342c5bc6dcd910d85f5
2010.1/i586/tomcat5-jasper-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
6f46c2c619ec79ec43783efcf7e908c2
2010.1/i586/tomcat5-jasper-eclipse-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
133a8b24ec4aa7662c0145ff5303beca
2010.1/i586/tomcat5-jasper-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
97eaf631f481c6431c7439755e33fde5
2010.1/i586/tomcat5-jsp-2.0-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
794935023c7630d13a887b474b78bb7e
2010.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
ce72eb40ddf157064e8926eb58e2740b
2010.1/i586/tomcat5-server-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
84f3460a32131aef7f663ea2c5981859
2010.1/i586/tomcat5-servlet-2.4-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
f04fe3121f8b1cf579f0cc92099c364a
2010.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
ec6163a7e1ee720c01f86b7070ae1a5d
2010.1/i586/tomcat5-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
e480656f0abde41f97e478151a7fc71f
2010.1/SRPMS/tomcat5-5.5.28-0.5.0.2mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
405ff9248913717a0249614e3ccdeff4
2010.1/x86_64/tomcat5-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
0500f420f913cac42c8c2398182e0b8d
2010.1/x86_64/tomcat5-admin-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
f796e84a6cf4dac452eaaec03b819c97
2010.1/x86_64/tomcat5-common-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
3e25bb28dc6c08b2dcbd1a272d01eaec
2010.1/x86_64/tomcat5-jasper-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
07e577e2fbc57e40b944478449715240
2010.1/x86_64/tomcat5-jasper-eclipse-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
1e688aca310915303d257abaa0c55099
2010.1/x86_64/tomcat5-jasper-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
631f812a7a32013ba301cecbeb23163d
2010.1/x86_64/tomcat5-jsp-2.0-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
5970e0221d6d5386f04316b6805c6bfc
2010.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
f64a8611f668cd19bafb0a8884c3b998
2010.1/x86_64/tomcat5-server-lib-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
ba19195b485e4468780f36010c5215b5
2010.1/x86_64/tomcat5-servlet-2.4-api-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
e241ad2d2ea43d6515b61a256fdbc61e
2010.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
15718f212c8d29bdbaac81ab40afbd2a
2010.1/x86_64/tomcat5-webapps-5.5.28-0.5.0.2mdv2010.2.noarch.rpm
e480656f0abde41f97e478151a7fc71f
2010.1/SRPMS/tomcat5-5.5.28-0.5.0.2mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
bd71ae4141fbf5a884cfbccc756c8329
mes5/i586/tomcat5-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
75b8764895d7b231901602dd0605f2e2
mes5/i586/tomcat5-admin-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
6c827ad66b01560b72c5a8c96616afaa
mes5/i586/tomcat5-common-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
1a2155333c323146ef3e1fbdeae96035
mes5/i586/tomcat5-jasper-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
554ec541f6857a7946a6fae67c0a2fa6
mes5/i586/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
10b54ca8ebefcd816bade65dae8e408b
mes5/i586/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
8a12958fd3040ca0f4ce23bb7a3a1bdf
mes5/i586/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
320881d8a847077fc8a7d70d7d0e0a02
mes5/i586/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
8ab623786a3479dc5e990b9949a13502
mes5/i586/tomcat5-server-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
d4c53039181b378a3da1016c137ad843
mes5/i586/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
52922ac7e5b4c1a7356d5248cf264a1d
mes5/i586/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
6cf03c3b0981031f6bf7b8710990bcb0
mes5/i586/tomcat5-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
a4f9e4804454f2d628865ad654d6a188
mes5/SRPMS/tomcat5-5.5.27-0.3.0.4mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
20eee581278206c28db4e304a6756671
mes5/x86_64/tomcat5-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
d6b1d88885c03c36a84dd7703bb82bbb
mes5/x86_64/tomcat5-admin-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
a04900de513cbaf5359b41b1df0e9ff3
mes5/x86_64/tomcat5-common-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
c58d2e125e9c2e4de256224d64cf1d46
mes5/x86_64/tomcat5-jasper-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
7612d8a28f5e008405a282ceb265a769
mes5/x86_64/tomcat5-jasper-eclipse-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
0796bfcd6e042c1128426bb47aae03d5
mes5/x86_64/tomcat5-jasper-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
2ccd09878fd1f3ef8e4846864bd2f71e
mes5/x86_64/tomcat5-jsp-2.0-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
1b94570c1a5913fd0eefbcbee71afdc8
mes5/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
ca2608f81795ff805e34e7316799a6a7
mes5/x86_64/tomcat5-server-lib-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
37d677648216a2d5577db95f0ab9f194
mes5/x86_64/tomcat5-servlet-2.4-api-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
42077f152ee121ed61cda754200f8902
mes5/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
75657b92a4a6d94e27c3188653cad41e
mes5/x86_64/tomcat5-webapps-5.5.27-0.3.0.4mdvmes5.1.noarch.rpm
a4f9e4804454f2d628865ad654d6a188
mes5/SRPMS/tomcat5-5.5.27-0.3.0.4mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNXrAVmqjQ0CJFipgRAjIfAJ4yL+76n74D2G8gpFyNCGQ4s6+6GACglNTw
j0b0pCkznIMqccTMYR+zW5E=
=KGzB
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/