Synopsis:	Moderate: tomcat security update
Issue date:	2008-03-11
CVE Names:	CVE-2007-5461 CVE-2007-5342

A directory traversal vulnerability existed in the Apache Tomcat webdav
servlet. In some configurations it allowed remote authenticated users to
read files accessible to the local tomcat process. (CVE-2007-5461)

The default security policy in the JULI logging component did not restrict
access permissions to files. This could be misused by untrusted web
applications to access and write arbitrary files in the context of the
tomcat process. (CVE-2007-5342)

SL 5.x

    SRPMS:
tomcat5-5.5.23-0jpp.3.0.3.el5_1.src.rpm
    i386:
tomcat5-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.i386.rpm
    x86_64:
tomcat5-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm
tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm

-Connie Sieh
-Troy Dawson