Package: tomcat6 Version: 6.0.16-1 6.0.18-dfsg1-1 Severity: serious Tags: security patch
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for tomcat6. CVE-2009-0033[0]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18, when the Java AJP connector and mod_jk load balancing | are used, allows remote attackers to cause a denial of service | (application outage) via a crafted request with invalid headers, | related to temporary blocking of connectors that have encountered | errors, as demonstrated by an error involving a malformed HTTP Host | header. CVE-2009-0580[1]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18, when FORM authentication is used, allows remote | attackers to enumerate valid usernames via requests to | /j_security_check with malformed URL encoding of passwords, related to | improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, | and (3) JDBCRealm authentication realms, as demonstrated by a % | (percent) value for the j_password parameter. CVE-2009-0783[2]: | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 | through 6.0.18 permits web applications to replace an XML parser used | for other web applications, which allows local users to read or modify | the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web | applications via a crafted application that is loaded earlier than the | target application. CVE-2009-0781[3]: | Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the | calendar application in the examples web application in Apache Tomcat | 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 | allows remote attackers to inject arbitrary web script or HTML via the | time parameter, related to "invalid HTML." These are already fixed in debian unstable (6.0.20-1). Please coordinate with the security team (t...@security.debian.org) to prepare packages for the stable releases. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://security-tracker.debian.net/tracker/CVE-2009-0033 Patch: http://svn.apache.org/viewvc?rev=742915&view=rev [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://security-tracker.debian.net/tracker/CVE-2009-0580 Patch: http://svn.apache.org/viewvc?rev=747840&view=rev [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://security-tracker.debian.net/tracker/CVE-2009-0783 Patch: http://svn.apache.org/viewvc?rev=652592&view=rev http://svn.apache.org/viewvc?rev=739522&view=rev [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781 http://security-tracker.debian.net/tracker/CVE-2009-0781 Patch: http://svn.apache.org/viewvc?rev=750924&view=rev -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkotdbwACgkQNxpp46476aqNMgCeJKI5of2DuyyPIT/m7Ux0Uwxi f0wAn3L1SyaQvA0I+ii/ityAqzfDeNJR =WojC -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
