Synopsis: Important: tomcat security update
Issue date: 2008-08-27
CVE Names: CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
CVE-2008-2938
A cross-site scripting vulnerability was discovered in the
HttpServletResponse.sendError() method. A remote attacker could inject
arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232)
An additional cross-site scripting vulnerability was discovered in the host
manager application. A remote attacker could inject arbitrary web script or
HTML via the hostname parameter. (CVE-2008-1947)
A traversal vulnerability was discovered when using a RequestDispatcher
in combination with a servlet or JSP. A remote attacker could utilize a
specially-crafted request parameter to access protected web resources.
(CVE-2008-2370)
An additional traversal vulnerability was discovered when the
"allowLinking" and "URIencoding" settings were activated. A remote attacker
could use a UTF-8-encoded request to extend their privileges and obtain
local files accessible to the Tomcat process. (CVE-2008-2938)
SL 5.x
SRPMS:
tomcat5-5.5.23-0jpp.7.el5_2.1.src.rpm
i386:
tomcat5-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-common-lib-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-jasper-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-server-lib-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_2.1.i386.rpm
tomcat5-webapps-5.5.23-0jpp.7.el5_2.1.i386.rpm
x86_64:
tomcat5-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-common-lib-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-jasper-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-server-lib-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
tomcat5-webapps-5.5.23-0jpp.7.el5_2.1.x86_64.rpm
-Connie Sieh
-Troy Dawson