copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0132 - [Debian] tomcat6: Multiple vulnerabi...
 

ESB-2012.0132 - [Debian] tomcat6: Multiple vulnerabilities
Date: 06 February 2012
References: ASB-2011.0064.2  ASB-2012.0008  ESB-2012.0116  ESB-2012.0143.2  ESB-2012.0837.2  ESB-2013.0322  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0132
                          tomcat6 security update
                              6 February 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat6
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
Impact/Access:     Denial of Service        -- Remote/Unauthenticated      
                   Unauthorised Access      -- Remote/Unauthenticated      
                   Access Confidential Data -- Remote with User Interaction
                   Reduced Security         -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0022 CVE-2011-5064 CVE-2011-5063
                   CVE-2011-5062 CVE-2011-4858 CVE-2011-3375
                   CVE-2011-3190 CVE-2011-2526 CVE-2011-2204
                   CVE-2011-1184  

Reference:         ASB-2012.0008
                   ESB-2012.0116
                   ASB-2011.0064.2

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2401

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2401-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
February 02, 2012                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tomcat6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-1184 CVE-2011-2204 CVE-2011-2526 CVE-2011-3190 
                 CVE-2011-3375 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 
                 CVE-2011-5064 CVE-2012-0022 

Several vulnerabilities have been found in Tomcat, a servlet and JSP 
engine:

CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064

   The HTTP Digest Access Authentication implementation performed
   insufficient countermeasures against replay attacks.

CVE-2011-2204

   In rare setups passwords were written into a logfile.

CVE-2011-2526
   
   Missing input sanisiting in the HTTP APR or HTTP NIO connectors
   could lead to denial of service.

CVE-2011-3190

   AJP requests could be spoofed in some setups.

CVE-2011-3375

   Incorrect request caching could lead to information disclosure.

CVE-2011-4858 CVE-2012-0022

   This update adds countermeasures against a collision denial of 
   service vulnerability in the Java hashtable implementation and
   addresses denial of service potentials when processing large
   amounts of requests.

Additional information can be 
found at http://tomcat.apache.org/security-6.html 

For the stable distribution (squeeze), this problem has been fixed in
version 6.0.35-1+squeeze2.

For the unstable distribution (sid), this problem has been fixed in
version 6.0.35-1.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8q44UACgkQXm3vHE4uylq9GwCaA8Z39hbJ4oljcJTwK61zNA1k
IYMAnRoJP2BgR1tEV64BMuAuECS0hE/r
=Gx2T
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTy8mS+4yVqjM2NGpAQIbXhAAmlgTwkUb3jtwYdXvDwv9kGLACXS4UVFj
3zoLH2rKM5inmSe298rD1rlmapFsK7NcAnc0t0Tb+srR7nRJaLwqsNTlVluF8Rom
KtvbDZPbTXybI6VoH8jIgCNvtCorhgN6uODnrR+eUY32vr0X8EZdtLL2Hk+hmLL+
fqOKr9rcMGXOx/f32GNZc5JBOkHTywnPe5OeYUj2sBpL/QiVvzR9l1skAnWLwN/c
nOXY/KgtMBnMUGfZ8xInBKs8UYEr5vmpFr+gbLchk5Uy3ZKVt1vaYyjhZnWEs9vi
5HmqGKuQFzdTsIiDq7x6DgU+BoWds0JzOGKfgY3FAAFzTSvYcXosTjZj4YrzxM5o
HhA4q0MTP1DFdHHxF+TCRfHR2fsI41I74QMDrt8WsAgH/EQIGkLFGUtFOXlvTaHF
iGg2p8qXGahTSpc+FzPFnJMcM3RShiWK2EsLrlZAXv5P/iI9IultvhFtPPvKFspW
fBxUysmSJvtnbp4gHm+6nnZpi3k1PocdtRDIyxykZqgebuDp4h2x/GA3yJf8TEHx
RVWtVErRJ/dceQDLLEP2KGkJMEeRXfmp5udHF7fmyhVatzKffc+Y6zGzxNO0TaDi
8wXs8lFfiuQWbDth7kxZ6ZVnG2y8KXi0zaKo9b3DjdnwDdYcfyojje2mQF6lnS+D
gjFsy2lAnAg=
=sw/9
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=15424