copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0116 - [Debian] tomcat6: Multiple vulnerabi...
 

ESB-2012.0116 - [Debian] tomcat6: Multiple vulnerabilities
Date: 03 February 2012
References: ESB-2011.0673  ESB-2011.0726  ASB-2011.0064.2  ESB-2011.0880  ASB-2012.0008  ESB-2012.0067  ESB-2012.0112.2  ESB-2012.0132  ESB-2012.0321  ESB-2012.0837.2  
ESB-2013.0322  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0116
                          tomcat6 security update
                              3 February 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat6
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0022 CVE-2011-5064 CVE-2011-5063
                   CVE-2011-5062 CVE-2011-4858 CVE-2011-3375
                   CVE-2011-3190 CVE-2011-2526 CVE-2011-2204
                   CVE-2011-1184  

Reference:         ASB-2012.0008
                   ESB-2012.0067
                   ESB-2011.0880
                   ESB-2011.0726
                   ESB-2011.0673
                   ASB-2011.0064.2
                   ESB-2012.0112.2

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2401

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2401-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
February 02, 2012                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tomcat6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-1184 CVE-2011-2204 CVE-2011-2526 CVE-2011-3190 
                 CVE-2011-3375 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 
                 CVE-2011-5064 CVE-2012-0022 

Several vulnerabilities have been found in Tomcat, a servlet and JSP 
engine:

CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064

   The HTTP Digest Access Authentication implementation performed
   insufficient countermeasures against replay attacks.

CVE-2011-2204

   In rare setups passwords were written into a logfile.

CVE-2011-2526
   
   Missing input sanisiting in the HTTP APR or HTTP NIO connectors
   could lead to denial of service.

CVE-2011-3190

   AJP requests could be spoofed in some setups.

CVE-2011-3375

   Incorrect request caching could lead to information disclosure.

CVE-2011-4858 CVE-2012-0022

   This update adds countermeasures against a collision denial of 
   service vulnerability in the Java hashtable implementation and
   addresses denial of service potentials when processing large
   amounts of requests.

Additional information can be 
found at http://tomcat.apache.org/security-6.html 

For the stable distribution (squeeze), this problem has been fixed in
version 6.0.35-1+squeeze2.

For the unstable distribution (sid), this problem has been fixed in
version 6.0.35-1.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8q44UACgkQXm3vHE4uylq9GwCaA8Z39hbJ4oljcJTwK61zNA1k
IYMAnRoJP2BgR1tEV64BMuAuECS0hE/r
=Gx2T
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTysrJ+4yVqjM2NGpAQKQfQ//aZ70gd99gnWuq06GkAklh69+wfmqtUY4
TA2QgHbVk52F/nld7ggiuiJsUDS0z+f+wDmZ1d3ILMdO4PfSvtP0NFjNtNbEGGtL
ebjam4FpEwwakSABlOneZdy9DchCBhok3tXE/04UTwaVc9juDs6m8noir//p2f/Q
uH6rfektQa8EiQXngZ9b67wJrW4okigC/nAnJ2s5lOZRohwyNhUCA76uNl5lWW5V
xtl4710cTTEc8liQua8D6gPEWadkkflXlQQSNAckZBwBGBZ/fspUoYQM2lja28nW
zznG+VhLyYvxiSe/dtF3cy5jVJP5q9VsGbo0oYpxC9Ye/hUy3t9A8vZcnYGoj19T
biJxZQtKaKr80rKLp+cL5zggRSfeslQCZB5MZ3nNlBP4kP6jfxUXRFVZxaP2DiE9
HZNBCZMlPLEfWtxlJ8vcmcx7DMPP1A6wS2U5Ug1HdcxLFP3lCo9oWF0y13veDAIN
inkQDUXYolre14KSCOx9CR7aUGNHD8zApfsCqY3l4Dsm+EnbXragYsxzB5kh/jPc
8xk1nzT/BwwdaKp3tfQtY9MwYMO3jt+a9wqzKyxdbIOgAVxX0DIynUPAWZ8PryR4
WpuXJVFjX1rryJ/rSz1Ij+VynoovJthBXiyIHvroucsvU3cxN5XYjiUl6JKO/yUX
bnX0m6AK/+E=
=mGA5
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=15405