Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Pat Riehecky <riehecky-13hema8v3vg <at> public.gmane.org>
Subject: Security ERRATA Important: tomcat6 on SL6.x (noarch)
Newsgroups: gmane.linux.scientific.errata
Date: Tuesday 12th March 2013 15:19:14 UTC (over 3 years ago)
Synopsis:          Important: tomcat6 security update
Issue Date:        2013-03-11
CVE Numbers:       CVE-2012-5885
                    CVE-2012-5886
                    CVE-2012-5887
                    CVE-2012-3546
                    CVE-2012-4534
--

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it
was possible to bypass the security constraint checks in the FORM
authenticator by appending "/j_security_check" to the end of a URL. A
remote attacker with an authenticated session on an affected application
could use this flaw to circumvent authorization controls, and thereby
access resources not permitted by the roles associated with their
authenticated session. (CVE-2012-3546)

A flaw was found in the way Tomcat handled sendfile operations when using
the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker
could use this flaw to cause a denial of service (infinite loop). The HTTP
blocking IO (BIO) connector, which is not vulnerable to this issue, is
used by default in Scientific Linux 6. (CVE-2012-4534)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

Tomcat must be restarted for this update to take effect.
--

SL6
   noarch
     tomcat6-6.0.24-52.el6_4.noarch.rpm
     tomcat6-admin-webapps-6.0.24-52.el6_4.noarch.rpm
     tomcat6-docs-webapp-6.0.24-52.el6_4.noarch.rpm
     tomcat6-el-2.1-api-6.0.24-52.el6_4.noarch.rpm
     tomcat6-javadoc-6.0.24-52.el6_4.noarch.rpm
     tomcat6-jsp-2.1-api-6.0.24-52.el6_4.noarch.rpm
     tomcat6-lib-6.0.24-52.el6_4.noarch.rpm
     tomcat6-servlet-2.5-api-6.0.24-52.el6_4.noarch.rpm
     tomcat6-webapps-6.0.24-52.el6_4.noarch.rpm

- Scientific Linux Development Team
 
CD: 2ms