Synopsis: Important: tomcat5 security update Advisory ID: SLSA-2013:0870-1 Issue Date: 2013-05-28 CVE Numbers: CVE-2013-1976 -- A flaw was found in the way the tomcat5 init script handled the catalina.out log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976) Note: With this update, /var/log/tomcat5/catalina.out has been moved to the /var/log/tomcat5-initd.log file. Tomcat must be restarted for this update to take effect. -- SL5 x86_64 tomcat5-debuginfo-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.40.el5_9.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.40.el5_9.x86_64.rpm i386 tomcat5-debuginfo-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-common-lib-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jasper-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-server-lib-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.40.el5_9.i386.rpm tomcat5-webapps-5.5.23-0jpp.40.el5_9.i386.rpm - Scientific Linux Development Team