LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2013

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: tomcat6 on SL6.x (noarch)
From:	Pat Riehecky <[log in to unmask]>
Reply To:	Pat Riehecky <[log in to unmask]>
Date:	Tue, 12 Mar 2013 10:19:14 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (48 lines)

Synopsis:          Important: tomcat6 security update
Issue Date:        2013-03-11
CVE Numbers:       CVE-2012-5885
                    CVE-2012-5886
                    CVE-2012-5887
                    CVE-2012-3546
                    CVE-2012-4534
--

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it
was possible to bypass the security constraint checks in the FORM
authenticator by appending "/j_security_check" to the end of a URL. A
remote attacker with an authenticated session on an affected application
could use this flaw to circumvent authorization controls, and thereby
access resources not permitted by the roles associated with their
authenticated session. (CVE-2012-3546)

A flaw was found in the way Tomcat handled sendfile operations when using
the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker
could use this flaw to cause a denial of service (infinite loop). The HTTP
blocking IO (BIO) connector, which is not vulnerable to this issue, is
used by default in Scientific Linux 6. (CVE-2012-4534)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

Tomcat must be restarted for this update to take effect.
--

SL6
   noarch
     tomcat6-6.0.24-52.el6_4.noarch.rpm
     tomcat6-admin-webapps-6.0.24-52.el6_4.noarch.rpm
     tomcat6-docs-webapp-6.0.24-52.el6_4.noarch.rpm
     tomcat6-el-2.1-api-6.0.24-52.el6_4.noarch.rpm
     tomcat6-javadoc-6.0.24-52.el6_4.noarch.rpm
     tomcat6-jsp-2.1-api-6.0.24-52.el6_4.noarch.rpm
     tomcat6-lib-6.0.24-52.el6_4.noarch.rpm
     tomcat6-servlet-2.5-api-6.0.24-52.el6_4.noarch.rpm
     tomcat6-webapps-6.0.24-52.el6_4.noarch.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV