From bugzilla at redhat.com Mon Sep 21 15:58:16 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 21 Sep 2009 11:58:16 -0400 Subject: [RHSA-2009:1454-01] Important: tomcat5 security update Message-ID: <200909211558.n8LFwG7H008443@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: tomcat5 security update Advisory ID: RHSA-2009:1454-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1454.html Issue date: 2009-09-21 CVE Names: CVE-2007-5333 CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 ===================================================================== 1. Summary: Updated tomcat5 packages that fix several security issues are now available for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Web Server 4AS-JBEWS-5.0.0 - noarch JBoss Enterprise Web Server 4ES-JBEWS-5.0.0 - noarch JBoss Enterprise Web Server 5Server-JBEWS-5.0.0 - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that Tomcat does not properly handle a certain character and character sequence in cookie values. A remote attacker could use this flaw to obtain sensitive information, such as session IDs, and then use this information for session hijacking attacks. (CVE-2007-5333) Note: The fix for the CVE-2007-5333 flaw changes the default cookie processing behavior: With this update, version 0 cookies that contain values that must be quoted to be valid are automatically changed to version 1 cookies. To reactivate the previous, but insecure behavior, add the following entry to the "/etc/tomcat5/catalina.properties" file: org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially-crafted requests that would cause an information leak. (CVE-2008-5515) A flaw was found in the way the Tomcat AJP (Apache JServ Protocol) connector processes AJP connections. An attacker could use this flaw to send specially-crafted requests that would cause a temporary denial of service. (CVE-2009-0033) It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute force methods) usernames registered with applications running on Tomcat when FORM-based authentication was used. (CVE-2009-0580) It was discovered that web applications containing their own XML parsers could replace the XML parser Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (CVE-2009-0783) Users of Tomcat should upgrade to these updated packages, which contain backported patches to resolve these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 427766 - CVE-2007-5333 Improve cookie parsing for tomcat5 493381 - CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection 503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes 504153 - CVE-2009-0783 tomcat XML parser information disclosure 504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability 6. Package List: JBoss Enterprise Web Server 4AS-JBEWS-5.0.0: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/tomcat5-5.5.23-1.patch07.18.ep5.el4.src.rpm noarch: tomcat5-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-admin-webapps-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-common-lib-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jasper-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jasper-javadoc-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jsp-2.0-api-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-server-lib-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-servlet-2.4-api-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-webapps-5.5.23-1.patch07.18.ep5.el4.noarch.rpm JBoss Enterprise Web Server 4ES-JBEWS-5.0.0: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/tomcat5-5.5.23-1.patch07.18.ep5.el4.src.rpm noarch: tomcat5-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-admin-webapps-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-common-lib-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jasper-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jasper-javadoc-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jsp-2.0-api-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-server-lib-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-servlet-2.4-api-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-1.patch07.18.ep5.el4.noarch.rpm tomcat5-webapps-5.5.23-1.patch07.18.ep5.el4.noarch.rpm JBoss Enterprise Web Server 5Server-JBEWS-5.0.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/tomcat5-5.5.23-0jpp.9.6.ep5.el5.src.rpm noarch: tomcat5-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-admin-webapps-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-common-lib-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-jasper-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-server-lib-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm tomcat5-webapps-5.5.23-0jpp.9.6.ep5.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://tomcat.apache.org/security-5.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKt6IiXlSAg2UNWIIRAk2nAKCfAWULmtx7Su6/0RVRRvbls+R1EwCfb9GM WWktyTuvV5v/YFpHdwOaunY= =tE7T -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Sep 24 16:07:22 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Sep 2009 12:07:22 -0400 Subject: [RHSA-2009:1462-01] Moderate: httpd22 security update Message-ID: <200909241607.n8OG7MM9016244@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd22 security update Advisory ID: RHSA-2009:1462-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1462.html Issue date: 2009-09-24 CVE Names: CVE-2009-2412 ===================================================================== 1. Summary: Updated httpd22 packages that fix multiple security issues are now available for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Web Server 1.0.0 for RHEL 4 AS - i386, x86_64 JBoss Enterprise Web Server 1.0.0 for RHEL 4 ES - i386, x86_64 3. Description: The Apache HTTP Server is a popular Web server. The httpd22 packages shipped with JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 contain embedded copies of the Apache Portable Runtime (APR) libraries, which provide a free library of C data structures and routines, and also additional utility interfaces to support XML parsing, LDAP, database interfaces, URI parsing, and more. Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the Apache Portable Runtime (APR) manages memory pool and relocatable memory allocations. An attacker could use these flaws to issue a specially-crafted request for memory allocation, which would lead to a denial of service (application crash) or, potentially, execute arbitrary code with the privileges of an application using the APR libraries. (CVE-2009-2412) All users of JBoss Enterprise Web Server 1.0.0 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 515698 - CVE-2009-2412 apr, apr-util: Integer overflows in memory pool (apr) and relocatable memory (apr-util) management 6. Package List: JBoss Enterprise Web Server 1.0.0 for RHEL 4 AS: i386: httpd22-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-devel-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-util-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.10-24.1.ep5.el4.i386.rpm httpd22-debuginfo-2.2.10-24.1.ep5.el4.i386.rpm httpd22-devel-2.2.10-24.1.ep5.el4.i386.rpm mod_ssl22-2.2.10-24.1.ep5.el4.i386.rpm x86_64: httpd22-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-devel-2.2.10-24.1.ep5.el4.x86_64.rpm mod_ssl22-2.2.10-24.1.ep5.el4.x86_64.rpm JBoss Enterprise Web Server 1.0.0 for RHEL 4 ES: i386: httpd22-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-devel-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-util-2.2.10-24.1.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.10-24.1.ep5.el4.i386.rpm httpd22-debuginfo-2.2.10-24.1.ep5.el4.i386.rpm httpd22-devel-2.2.10-24.1.ep5.el4.i386.rpm mod_ssl22-2.2.10-24.1.ep5.el4.i386.rpm x86_64: httpd22-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.10-24.1.ep5.el4.x86_64.rpm httpd22-devel-2.2.10-24.1.ep5.el4.x86_64.rpm mod_ssl22-2.2.10-24.1.ep5.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKu5kbXlSAg2UNWIIRAh32AJ9pOR3pV++w4G/6IYyHKR9+mc1jCgCfRQZF GvAGoVtDq/kbDrQKbSh6r38= =poAM -----END PGP SIGNATURE-----