Security Advisory Important: tomcat security update

Advisory: RHSA-2009:1164-1
Type: Security Advisory
Severity: Important
Issued on: 2009-07-21
Last updated on: 2009-07-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
OVAL: com.redhat.rhsa-20091164.xml
CVEs (cve.mitre.org): CVE-2007-5333
CVE-2008-5515
CVE-2009-0033
CVE-2009-0580
CVE-2009-0781
CVE-2009-0783

Details

Updated tomcat packages that fix several security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

It was discovered that the Red Hat Security Advisory RHSA-2007:0871 did not
address all possible flaws in the way Tomcat handles certain characters and
character sequences in cookie values. A remote attacker could use this flaw
to obtain sensitive information, such as session IDs, and then use this
information for session hijacking attacks. (CVE-2007-5333)

Note: The fix for the CVE-2007-5333 flaw changes the default cookie
processing behavior: with this update, version 0 cookies that contain
values that must be quoted to be valid are automatically changed to version
1 cookies. To reactivate the previous, but insecure behavior, add the
following entry to the "/etc/tomcat5/catalina.properties" file:

org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

It was discovered that request dispatchers did not properly normalize user
requests that have trailing query strings, allowing remote attackers to
send specially-crafted requests that would cause an information leak.
(CVE-2008-5515)

A flaw was found in the way the Tomcat AJP (Apache JServ Protocol)
connector processes AJP connections. An attacker could use this flaw to
send specially-crafted requests that would cause a temporary denial of
service. (CVE-2009-0033)

It was discovered that the error checking methods of certain authentication
classes did not have sufficient error checking, allowing remote attackers
to enumerate (via brute force methods) usernames registered with
applications running on Tomcat when FORM-based authentication was used.
(CVE-2009-0580)

A cross-site scripting (XSS) flaw was found in the examples calendar
application. With some web browsers, remote attackers could use this flaw
to inject arbitrary web script or HTML via the "time" parameter.
(CVE-2009-0781)

It was discovered that web applications containing their own XML parsers
could replace the XML parser Tomcat uses to parse configuration files. A
malicious web application running on a Tomcat instance could read or,
potentially, modify the configuration and XML-based data of other web
applications deployed on the same Tomcat instance. (CVE-2009-0783)

Users of Tomcat should upgrade to these updated packages, which contain
backported patches to resolve these issues. Tomcat must be restarted for
this update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
tomcat5-5.5.23-0jpp.7.el5_3.2.src.rpm     cec451b1063e8b57ef9ba3ab25102c32
 
IA-32:
tomcat5-5.5.23-0jpp.7.el5_3.2.i386.rpm     1a877d4731e69631f2ece6c96c453b85
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.i386.rpm     67be623c13975af58aa8a843fd04f59e
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.i386.rpm     5280c7818584b063332880118f6f0f7a
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.i386.rpm     8e392472cc1c6d81726d60dd2b507edb
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     59a11238dd36a2a086774d419bb16c12
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     a1b90843c86b9914734ac4da2caa1286
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.i386.rpm     c867e14441c8bd37b3cb5442790272c1
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     d81b06a4e4862b29c89e4f9784060a28
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.i386.rpm     f35eecb0bed062cc113475da865037b9
 
x86_64:
tomcat5-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     4e6f4e5c37bb0f1546fed49c489b491e
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     33a09ef8c51d2546ca875a86e0d22b3e
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     ea5203e8310995dddcb8f24d6a74a873
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     7d0172a49818ed9e5f5a97a527193eb0
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     3523a50150eb5f416f78f9dc426d9a1b
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     93c0bf1a5e0a4dc1390c31df121bec41
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     95b629e27871dc892ecfb7303c0e3429
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     488c16f4af06b02e32850f7159c197ba
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     536ba1304b0ba42b0ba7c893cdbb4d89
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
tomcat5-5.5.23-0jpp.7.el5_3.2.src.rpm     cec451b1063e8b57ef9ba3ab25102c32
 
IA-32:
tomcat5-5.5.23-0jpp.7.el5_3.2.i386.rpm     1a877d4731e69631f2ece6c96c453b85
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.i386.rpm     67be623c13975af58aa8a843fd04f59e
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.i386.rpm     5280c7818584b063332880118f6f0f7a
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.i386.rpm     8e392472cc1c6d81726d60dd2b507edb
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     59a11238dd36a2a086774d419bb16c12
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.i386.rpm     47e5e11f70e528ef154a58674fc71076
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     a1b90843c86b9914734ac4da2caa1286
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.i386.rpm     c867e14441c8bd37b3cb5442790272c1
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.i386.rpm     e53f0dc9b75946c268bb950d8787fc4c
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     d81b06a4e4862b29c89e4f9784060a28
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.i386.rpm     f35eecb0bed062cc113475da865037b9
 
IA-64:
tomcat5-5.5.23-0jpp.7.el5_3.2.ia64.rpm     2ed6664ef5728d700c55d4640c7b17ec
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f34383d837f3e6ec2dd1c9b71f7d1200
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f47eebc8604bea60b966d9171f8524e4
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f16237cd6eae4742de7522b9bca0eee6
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.ia64.rpm     9ffb33f617cc8ee4351faab058d03572
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.ia64.rpm     02fffc20479bf32e1cdb3cfee53c60f3
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f10f62eebd52612501d0a1f1b749f7a4
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.ia64.rpm     682b5ec5d95fc4bf5fb323663840a626
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.ia64.rpm     8b341f4a39729b94481fc255307327be
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.ia64.rpm     e54e044c1791b68af8d48df961dc2b75
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.ia64.rpm     1365e145fd4d4d3853fbb18d8acda6bb
 
PPC:
tomcat5-5.5.23-0jpp.7.el5_3.2.ppc.rpm     a33dc66f66da683920bec05da2c2f388
tomcat5-5.5.23-0jpp.7.el5_3.2.ppc64.rpm     fd3f6cd3204a0a9e64aea03e07bf2a96
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.ppc.rpm     eec31e5f3c8ab4c96edbc8f7b54aa87f
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.ppc.rpm     db1a192cb3aec2ed3d2992d3e00e3a6b
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.ppc.rpm     5bde92f7857bda3f2e4c7493c07ec654
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.ppc.rpm     ed99d290da5a01ff39d4b484138f2c77
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.ppc.rpm     29daf95d0d3802077cf3ab82c8b6e54d
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.ppc.rpm     b35c4993d104e98a1e3a1cc2cd5a98cf
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.ppc.rpm     2bd83b0d627eb4f97bb618537f854d27
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.ppc.rpm     89a99c56adf60a175ceff33b2b8213c9
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.ppc.rpm     6b4b1e4be70d4700fb82a81fea2e0b77
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.ppc.rpm     ccc56e38edb9b0cb24e4b6120f0563a3
 
s390x:
tomcat5-5.5.23-0jpp.7.el5_3.2.s390x.rpm     5b879750d26a65fa3d87bd75517e9bed
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.s390x.rpm     703bb609f07c2c12f7b54ac3dabe9ec9
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.s390x.rpm     d0c26f175296518a34ed6d2b63e8c411
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.s390x.rpm     f1f876788f7a3b798c3aeff565a9d88a
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.s390x.rpm     81cb5801f5270f30cc046439cc4b0330
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.s390x.rpm     5a3828a6d5c9a78c0ada1edc998c859c
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.s390x.rpm     7f40c91dcdbd4ae9e5c93cc8dd5c681b
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.s390x.rpm     f95e4c53371fc4dec10400298ee50974
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.s390x.rpm     3056b04cc3fb8ca5c715ec5e042b5719
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.s390x.rpm     91b9aefdcd02a73d310e76ca61df92ae
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.s390x.rpm     0f2c944b57cbb91b2e5cb7a523b2e5e2
 
x86_64:
tomcat5-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     4e6f4e5c37bb0f1546fed49c489b491e
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     33a09ef8c51d2546ca875a86e0d22b3e
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     ea5203e8310995dddcb8f24d6a74a873
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     7d0172a49818ed9e5f5a97a527193eb0
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     3523a50150eb5f416f78f9dc426d9a1b
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     da023201cf582d3a7cde658d46d19e45
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     93c0bf1a5e0a4dc1390c31df121bec41
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     95b629e27871dc892ecfb7303c0e3429
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     00d3d487e31c56d63086c3a3241ba0f9
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     488c16f4af06b02e32850f7159c197ba
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     536ba1304b0ba42b0ba7c893cdbb4d89
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
tomcat5-5.5.23-0jpp.7.el5_3.2.src.rpm     cec451b1063e8b57ef9ba3ab25102c32
 
IA-32:
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.i386.rpm     47e5e11f70e528ef154a58674fc71076
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.i386.rpm     e53f0dc9b75946c268bb950d8787fc4c
 
x86_64:
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     da023201cf582d3a7cde658d46d19e45
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     00d3d487e31c56d63086c3a3241ba0f9
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)
SRPMS:
tomcat5-5.5.23-0jpp.7.el5_3.2.src.rpm     cec451b1063e8b57ef9ba3ab25102c32
 
IA-32:
tomcat5-5.5.23-0jpp.7.el5_3.2.i386.rpm     1a877d4731e69631f2ece6c96c453b85
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.i386.rpm     67be623c13975af58aa8a843fd04f59e
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.i386.rpm     5280c7818584b063332880118f6f0f7a
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.i386.rpm     8e392472cc1c6d81726d60dd2b507edb
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     59a11238dd36a2a086774d419bb16c12
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.i386.rpm     47e5e11f70e528ef154a58674fc71076
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     a1b90843c86b9914734ac4da2caa1286
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.i386.rpm     c867e14441c8bd37b3cb5442790272c1
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.i386.rpm     e53f0dc9b75946c268bb950d8787fc4c
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.i386.rpm     d81b06a4e4862b29c89e4f9784060a28
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.i386.rpm     f35eecb0bed062cc113475da865037b9
 
IA-64:
tomcat5-5.5.23-0jpp.7.el5_3.2.ia64.rpm     2ed6664ef5728d700c55d4640c7b17ec
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f34383d837f3e6ec2dd1c9b71f7d1200
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f47eebc8604bea60b966d9171f8524e4
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f16237cd6eae4742de7522b9bca0eee6
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.ia64.rpm     9ffb33f617cc8ee4351faab058d03572
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.ia64.rpm     02fffc20479bf32e1cdb3cfee53c60f3
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.ia64.rpm     f10f62eebd52612501d0a1f1b749f7a4
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.ia64.rpm     682b5ec5d95fc4bf5fb323663840a626
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.ia64.rpm     8b341f4a39729b94481fc255307327be
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.ia64.rpm     e54e044c1791b68af8d48df961dc2b75
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.ia64.rpm     1365e145fd4d4d3853fbb18d8acda6bb
 
PPC:
tomcat5-5.5.23-0jpp.7.el5_3.2.ppc.rpm     a33dc66f66da683920bec05da2c2f388
tomcat5-5.5.23-0jpp.7.el5_3.2.ppc64.rpm     fd3f6cd3204a0a9e64aea03e07bf2a96
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.ppc.rpm     eec31e5f3c8ab4c96edbc8f7b54aa87f
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.ppc.rpm     db1a192cb3aec2ed3d2992d3e00e3a6b
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.ppc.rpm     5bde92f7857bda3f2e4c7493c07ec654
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.ppc.rpm     ed99d290da5a01ff39d4b484138f2c77
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.ppc.rpm     29daf95d0d3802077cf3ab82c8b6e54d
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.ppc.rpm     b35c4993d104e98a1e3a1cc2cd5a98cf
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.ppc.rpm     2bd83b0d627eb4f97bb618537f854d27
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.ppc.rpm     89a99c56adf60a175ceff33b2b8213c9
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.ppc.rpm     6b4b1e4be70d4700fb82a81fea2e0b77
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.ppc.rpm     ccc56e38edb9b0cb24e4b6120f0563a3
 
s390x:
tomcat5-5.5.23-0jpp.7.el5_3.2.s390x.rpm     5b879750d26a65fa3d87bd75517e9bed
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.s390x.rpm     703bb609f07c2c12f7b54ac3dabe9ec9
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.s390x.rpm     d0c26f175296518a34ed6d2b63e8c411
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.s390x.rpm     f1f876788f7a3b798c3aeff565a9d88a
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.s390x.rpm     81cb5801f5270f30cc046439cc4b0330
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.s390x.rpm     5a3828a6d5c9a78c0ada1edc998c859c
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.s390x.rpm     7f40c91dcdbd4ae9e5c93cc8dd5c681b
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.s390x.rpm     f95e4c53371fc4dec10400298ee50974
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.s390x.rpm     3056b04cc3fb8ca5c715ec5e042b5719
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.s390x.rpm     91b9aefdcd02a73d310e76ca61df92ae
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.s390x.rpm     0f2c944b57cbb91b2e5cb7a523b2e5e2
 
x86_64:
tomcat5-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     4e6f4e5c37bb0f1546fed49c489b491e
tomcat5-admin-webapps-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     33a09ef8c51d2546ca875a86e0d22b3e
tomcat5-common-lib-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     ea5203e8310995dddcb8f24d6a74a873
tomcat5-jasper-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     7d0172a49818ed9e5f5a97a527193eb0
tomcat5-jasper-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     3523a50150eb5f416f78f9dc426d9a1b
tomcat5-jsp-2.0-api-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     da023201cf582d3a7cde658d46d19e45
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     93c0bf1a5e0a4dc1390c31df121bec41
tomcat5-server-lib-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     95b629e27871dc892ecfb7303c0e3429
tomcat5-servlet-2.4-api-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     00d3d487e31c56d63086c3a3241ba0f9
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     488c16f4af06b02e32850f7159c197ba
tomcat5-webapps-5.5.23-0jpp.7.el5_3.2.x86_64.rpm     536ba1304b0ba42b0ba7c893cdbb4d89
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

427766 - CVE-2007-5333 Improve cookie parsing for tomcat5
489028 - CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
493381 - CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes
504153 - CVE-2009-0783 tomcat XML parser information disclosure
504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://tomcat.apache.org/security-5.html
http://www.redhat.com/security/updates/classification/#important

Keywords

Security

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/