LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2013

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: tomcat5 on SL5.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	Pat Riehecky <[log in to unmask]>
Date:	Tue, 12 Mar 2013 16:10:11 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (57 lines)

Synopsis:          Important: tomcat5 security update
Issue Date:        2013-03-12
CVE Numbers:       CVE-2012-5885
                    CVE-2012-5886
                    CVE-2012-5887
                    CVE-2012-3546
--

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it
was possible to bypass the security constraint checks in the FORM
authenticator by appending "/j_security_check" to the end of a URL. A
remote attacker with an authenticated session on an affected application
could use this flaw to circumvent authorization controls, and thereby
access resources not permitted by the roles associated with their
authenticated session. (CVE-2012-3546)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

Tomcat must be restarted for this update to take effect.
--

SL5
   x86_64
     tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-common-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-jasper-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-server-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
     tomcat5-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm
   i386
     tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-common-lib-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-jasper-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-server-lib-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
     tomcat5-webapps-5.5.23-0jpp.38.el5_9.i386.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV