LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

April 2012

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA April 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Moderate: tomcat5 on SL5.x i386/x86_64
From:	Patrick Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Wed, 11 Apr 2012 16:05:37 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (63 lines)

Synopsis:    Moderate: tomcat5 security update
Issue Date:  2012-04-11
CVE Numbers: CVE-2011-4858
             CVE-2012-0022


Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

It was found that the Java hashCode() method implementation was susceptible
to predictable hash collisions. A remote attacker could use this flaw to
cause Tomcat to use an excessive amount of CPU time by sending an HTTP
request with a large number of parameters whose names map to the same hash
value. This update introduces a limit on the number of parameters processed
per request to mitigate this issue. The default limit is 512 for
parameters and 128 for headers. These defaults can be changed by setting
the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

It was found that Tomcat did not handle large numbers of parameters and
large parameter values efficiently. A remote attacker could make Tomcat
use an excessive amount of CPU time by sending an HTTP request containing a
large number of parameters or large parameter values. This update
introduces limits on the number of parameters and headers processed per
request to address this issue. Refer to the CVE-2011-4858 description for
information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022) 

Users of Tomcat should upgrade to these updated packages, which correct
these issues. Tomcat must be restarted for this update to take effect.

SL5:
  i386
     tomcat5-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-common-lib-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-jasper-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-server-lib-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.i386.rpm
     tomcat5-webapps-5.5.23-0jpp.31.el5_8.i386.rpm
  x86_64
     tomcat5-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-common-lib-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-debuginfo-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-jasper-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-jasper-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-server-lib-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.31.el5_8.x86_64.rpm
     tomcat5-webapps-5.5.23-0jpp.31.el5_8.x86_64.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV