User: Password:
|
|
Subscribe / Log in / New account

Pardus alert 2011-38 (tomcat-servlet-api)

From:  Meltem <meltem@pardus.org.tr>
To:  pardus-security@pardus.org.tr
Subject:  [Pardus-security] [PLSA 2011-38] Tomcat: Multiple Vulnerabilities
Date:  Mon, 14 Feb 2011 12:25:14 +0200
Message-ID:  <201102141225.14898.meltem@pardus.org.tr>
Archive-link:  Article, Thread

------------------------------------------------------------------------ Pardus Linux Security Advisory 2011-38 security@pardus.org.tr ------------------------------------------------------------------------ Date: 2011-02-14 Severity: 3 Type: Remote ------------------------------------------------------------------------ Summary ======= Multiple vulnerabilities have been fixed in php. Description =========== CVE-2010-1157 : Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. CVE-2010-2227 : Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer. CVE-2009-2693: Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry. CVE-2009-2902: Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. Affected packages: Pardus 2009: tomcat-servlet-api, all before 5.5.32-4-4 Resolution ========== There are update(s) for tomcat-servlet-api. You can update them via Package Manager or with a single command from console: pisi up tomcat-servlet-api References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=14810 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-... * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-... * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-... ------------------------------------------------------------------------ _______________________________________________ Pardus-Security mailing list Pardus-Security@pardus.org.tr http://liste.pardus.org.tr/mailman/listinfo/pardus-security


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds