Synopsis: Important: tomcat security update Issue date: 2008-08-27 CVE Names: CVE-2008-1232 CVE-2008-1947 CVE-2008-2370 CVE-2008-2938 A cross-site scripting vulnerability was discovered in the HttpServletResponse.sendError() method. A remote attacker could inject arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232) An additional cross-site scripting vulnerability was discovered in the host manager application. A remote attacker could inject arbitrary web script or HTML via the hostname parameter. (CVE-2008-1947) A traversal vulnerability was discovered when using a RequestDispatcher in combination with a servlet or JSP. A remote attacker could utilize a specially-crafted request parameter to access protected web resources. (CVE-2008-2370) An additional traversal vulnerability was discovered when the "allowLinking" and "URIencoding" settings were activated. A remote attacker could use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process. (CVE-2008-2938) SL 5.x SRPMS: tomcat5-5.5.23-0jpp.7.el5_2.1.src.rpm i386: tomcat5-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-common-lib-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-jasper-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-server-lib-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_2.1.i386.rpm tomcat5-webapps-5.5.23-0jpp.7.el5_2.1.i386.rpm x86_64: tomcat5-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_2.1.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.7.el5_2.1.x86_64.rpm -Connie Sieh -Troy Dawson