[SECURITY] Fedora 9 Update: tomcat6-6.0.18-1.1.fc9

updates at fedoraproject.org updates at fedoraproject.org
Thu Sep 11 17:17:43 UTC 2008 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-7977
2008-09-11 11:07:09
--------------------------------------------------------------------------------

Name        : tomcat6
Product     : Fedora 9
Version     : 6.0.18
Release     : 1.1.fc9
URL         : http://tomcat.apache.org/
Summary     : Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API
Description :
Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

--------------------------------------------------------------------------------
Update Information:

This release fixes several security-related issues.    In addition, this release
fixes several user-reported problems related to the startup scripts and file
layout.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Aug 26 2008 David Walluck <dwalluck at redhat.com> 0:6.0.18-1.1
- 6.0.18
- Resolves: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938
- fix definition of java.security.policy with d%{name} start-security
- don't pass $CATALINA_OPTS with d%{name} stop
- redefine tempdir and workdir for tmpwatch workaround
- change eclipse-ecj references to ecj
* Thu Jul 10 2008 Tom "spot" Callaway <tcallawa at redhat.com> - 0:6.0.16-1.8
- drop repotag
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #456120 - CVE-2008-2938 tomcat Unicode directory traversal vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=456120
  [ 2 ] Bug #457934 - CVE-2008-2370 tomcat RequestDispatcher information disclosure vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=457934
  [ 3 ] Bug #446393 - CVE-2008-1947 Tomcat host manager xss - name field
        https://bugzilla.redhat.com/show_bug.cgi?id=446393
  [ 4 ] Bug #457597 - CVE-2008-1232 tomcat: Cross-Site-Scripting enabled by sendError call
        https://bugzilla.redhat.com/show_bug.cgi?id=457597
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update tomcat6' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the Fedora-package-announce mailing list