Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <riehecky-13hema8v3vg <at> public.gmane.org>
Subject: Security ERRATA Moderate: tomcat6 on SL6.x
Newsgroups: gmane.linux.scientific.errata
Date: Wednesday 11th April 2012 20:28:30 UTC (over 4 years ago)
Synopsis:    Moderate: tomcat6 security update
Issue Date:  2012-04-11
CVE Numbers: CVE-2011-4858
             CVE-2012-0022


Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

It was found that the Java hashCode() method implementation was susceptible
to predictable hash collisions. A remote attacker could use this flaw to
cause Tomcat to use an excessive amount of CPU time by sending an HTTP
request with a large number of parameters whose names map to the same hash
value. This update introduces a limit on the number of parameters processed
per request to mitigate this issue. The default limit is 512 for
parameters and 128 for headers. These defaults can be changed by setting
the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

It was found that Tomcat did not handle large numbers of parameters and
large parameter values efficiently. A remote attacker could make Tomcat
use an excessive amount of CPU time by sending an HTTP request containing a
large number of parameters or large parameter values. This update
introduces limits on the number of parameters and headers processed per
request to address this issue. Refer to the CVE-2011-4858 description for
information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022) 

Users of Tomcat should upgrade to these updated packages, which correct
these issues. Tomcat must be restarted for this update to take effect.

SL6:
  noarch
     tomcat6-6.0.24-36.el6_2.noarch.rpm
     tomcat6-admin-webapps-6.0.24-36.el6_2.noarch.rpm
     tomcat6-docs-webapp-6.0.24-36.el6_2.noarch.rpm
     tomcat6-el-2.1-api-6.0.24-36.el6_2.noarch.rpm
     tomcat6-javadoc-6.0.24-36.el6_2.noarch.rpm
     tomcat6-jsp-2.1-api-6.0.24-36.el6_2.noarch.rpm
     tomcat6-lib-6.0.24-36.el6_2.noarch.rpm
     tomcat6-servlet-2.5-api-6.0.24-36.el6_2.noarch.rpm
     tomcat6-webapps-6.0.24-36.el6_2.noarch.rpm

- Scientific Linux Development Team
 
CD: 3ms