Synopsis: Important: tomcat6 security and bug fix update Issue date: 2011-03-09 CVE Names: CVE-2010-4476 CVE-2011-0534 A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Tomcat to hang via a specially-crafted HTTP request. (CVE-2010-4476) A flaw was found in the Tomcat NIO (Non-Blocking I/O) connector. A remote attacker could use this flaw to cause a denial of service (out-of-memory condition) via a specially-crafted request containing a large NIO buffer size request value. (CVE-2011-0534) This update also fixes the following bug: * A bug in the "tomcat6" init script prevented additional Tomcat instances from starting. As well, running "service tomcat6 start" caused configuration options applied from "/etc/sysconfig/tomcat6" to be overwritten with those from "/etc/tomcat6/tomcat6.conf". With this update, multiple instances of Tomcat run as expected. (BZ#676922) Tomcat must be restarted for this update to take effect. SL 6.x SRPMS: tomcat6-6.0.24-24.el6_0.src.rpm i386: tomcat6-6.0.24-24.el6_0.noarch.rpm tomcat6-admin-webapps-6.0.24-24.el6_0.noarch.rpm tomcat6-docs-webapp-6.0.24-24.el6_0.noarch.rpm tomcat6-el-2.1-api-6.0.24-24.el6_0.noarch.rpm tomcat6-javadoc-6.0.24-24.el6_0.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-24.el6_0.noarch.rpm tomcat6-lib-6.0.24-24.el6_0.noarch.rpm tomcat6-log4j-6.0.24-24.el6_0.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-24.el6_0.noarch.rpm tomcat6-webapps-6.0.24-24.el6_0.noarch.rpm x86_64: tomcat6-6.0.24-24.el6_0.noarch.rpm tomcat6-admin-webapps-6.0.24-24.el6_0.noarch.rpm tomcat6-docs-webapp-6.0.24-24.el6_0.noarch.rpm tomcat6-el-2.1-api-6.0.24-24.el6_0.noarch.rpm tomcat6-javadoc-6.0.24-24.el6_0.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-24.el6_0.noarch.rpm tomcat6-lib-6.0.24-24.el6_0.noarch.rpm tomcat6-log4j-6.0.24-24.el6_0.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-24.el6_0.noarch.rpm tomcat6-webapps-6.0.24-24.el6_0.noarch.rpm -Connie Sieh -Troy Dawson