Skip to navigation

Security Advisory Important: tomcat security update

Advisory: RHSA-2007:0327-5
Type: Security Advisory
Severity: Important
Issued on: 2007-05-14
Last updated on: 2007-05-14
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2005-2090
CVE-2006-7195
CVE-2007-0450
CVE-2007-1358

Details

Updated tomcat packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Tomcat is a servlet container for Java Servlet and JavaServer Pages
technologies.

Tomcat was found to accept multiple content-length headers in a
request. This could allow attackers to poison a web-cache, bypass web
application firewall protection, or conduct cross-site scripting attacks.
(CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was used
behind certain proxies and configured to only proxy some contexts, an
attacker could construct an HTTP request to work around the context
restriction and potentially access non-proxied content. (CVE-2007-0450)

The implict-objects.jsp file distributed in the examples webapp displayed a
number of unfiltered header values. If the JSP examples were accessible,
this flaw could allow a remote attacker to perform cross-site scripting
attacks. (CVE-2006-7195)

Users should upgrade to these erratum packages which contain an update to
Tomcat that resolves these issues. Updated jakarta-commons-modeler
packages are also included which correct a bug when used with Tomcat 5.5.23.


Solution

Note: /etc/tomcat5/web.xml has been updated to disable directory listing by
default. If you have previously modified /etc/tomcat5/web.xml, this change
will not be made automatically and you should manually update the value for
the "listings" parameter to "false".

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.src.rpm
File outdated by:  RHBA-2007:0545
    MD5: d7b49a8038c45e0058d38975c8b6aac7
tomcat5-5.5.23-0jpp.1.0.3.el5.src.rpm
File outdated by:  RHSA-2013:0870
    MD5: cc46f7adab310f95bd5d84dcef6febd8
 
IA-32:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.i386.rpm
File outdated by:  RHBA-2007:0545
    MD5: adf41fbc470587b6fc9ecaf1d1f098b9
jakarta-commons-modeler-javadoc-1.1-8jpp.1.0.2.el5.i386.rpm
File outdated by:  RHBA-2007:0545
    MD5: 136c4d8eb9185dec26117710e977be4a
tomcat5-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: a47a62de312b9aa732908b012c7d7921
tomcat5-admin-webapps-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3c0f713d0e672e52e883ffbf02a62fe3
tomcat5-common-lib-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: b4147f73e0fdd17928e04018d1d9e045
tomcat5-jasper-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 6b0fc7dcb20576476ce17ae32245c15e
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: fae82087121a0fa8d8b639293dc396db
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 04dfeb55a072bd3aee9e1dafa8709688
tomcat5-server-lib-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: c02aa3729035e7df1a9318531deb9e95
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 210373af7c98bd668cc47aa7bbffbad1
tomcat5-webapps-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: a009e6f97320ffa944f807b770a35d2f
 
x86_64:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.x86_64.rpm
File outdated by:  RHBA-2007:0545
    MD5: 60b2813ec62e4a6395b46beb1da1a957
jakarta-commons-modeler-javadoc-1.1-8jpp.1.0.2.el5.x86_64.rpm
File outdated by:  RHBA-2007:0545
    MD5: 47199d1b84620a448efe1f05eb3cfc9c
tomcat5-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 186e93ce1a5632200ccdc9ca887cd605
tomcat5-admin-webapps-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 7cc08998016cd4efd4ae113e31005850
tomcat5-common-lib-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: e7efd7c2b493148f1020dac5b4954eaa
tomcat5-jasper-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c6200fc43f9440411b2754a47d4ca25a
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: aca88a67a573ade1738ac6142bd7a1fb
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: d328f5626c19e13ca671eddc2e3dfb2a
tomcat5-server-lib-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c0e649a7e4df6c8368300c865da39024
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: f344d08b6b6d40524a65af8aa1ae38b0
tomcat5-webapps-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: f327de085c367b1e37841db93ac7fd80
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.src.rpm
File outdated by:  RHBA-2007:0545
    MD5: d7b49a8038c45e0058d38975c8b6aac7
tomcat5-5.5.23-0jpp.1.0.3.el5.src.rpm
File outdated by:  RHSA-2013:0870
    MD5: cc46f7adab310f95bd5d84dcef6febd8
 
IA-32:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.i386.rpm
File outdated by:  RHBA-2007:0545
    MD5: adf41fbc470587b6fc9ecaf1d1f098b9
jakarta-commons-modeler-javadoc-1.1-8jpp.1.0.2.el5.i386.rpm
File outdated by:  RHBA-2007:0545
    MD5: 136c4d8eb9185dec26117710e977be4a
tomcat5-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: a47a62de312b9aa732908b012c7d7921
tomcat5-admin-webapps-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3c0f713d0e672e52e883ffbf02a62fe3
tomcat5-common-lib-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: b4147f73e0fdd17928e04018d1d9e045
tomcat5-jasper-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 6b0fc7dcb20576476ce17ae32245c15e
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: fae82087121a0fa8d8b639293dc396db
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: e69ffeb57454387a4b2df5e4a468524a
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 04dfeb55a072bd3aee9e1dafa8709688
tomcat5-server-lib-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: c02aa3729035e7df1a9318531deb9e95
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 64568752869742380e58a3443e5942b0
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 210373af7c98bd668cc47aa7bbffbad1
tomcat5-webapps-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: a009e6f97320ffa944f807b770a35d2f
 
IA-64:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.ia64.rpm
File outdated by:  RHBA-2007:0545
    MD5: bfe30bb15dd3547b5aba9fadb75ab366
jakarta-commons-modeler-javadoc-1.1-8jpp.1.0.2.el5.ia64.rpm
File outdated by:  RHBA-2007:0545
    MD5: 1cfd15f4c243a709bd70af2986dc6535
tomcat5-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 2ef441bbc31bd6ab9a352133afc6bba7
tomcat5-admin-webapps-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: dbd92d58e409a2e512be8f082d652013
tomcat5-common-lib-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3a681a5d72d27266fa5fda0234654823
tomcat5-jasper-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 571d614b8dfc2a70fa69613c0276d9bc
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 927a1797b2a0937eb7664883b5c28873
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: a18e063ed2d15f0b54ffbfe58ae2023a
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 151cb23cae3b32509738afb879e5b61d
tomcat5-server-lib-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 6d4132b0f2a039af33ae18027e0096d6
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 12f4c2890f10373e0a20b1beaab5b604
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 0b308dda3324688c32274dcdf716d2c4
tomcat5-webapps-5.5.23-0jpp.1.0.3.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: ae330c687e9efd6bd026b6515dc19156
 
PPC:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.ppc.rpm
File outdated by:  RHBA-2007:0545
    MD5: d2ee3a85407e305112f37678f53e0012
jakarta-commons-modeler-javadoc-1.1-8jpp.1.0.2.el5.ppc.rpm
File outdated by:  RHBA-2007:0545
    MD5: b534229b3539baec1ce3df41231f546a
tomcat5-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: e16c6f556b1764e3f2609d1314918173
tomcat5-admin-webapps-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 7783e2e33698e6a9c6054b2f3b64e5f0
tomcat5-common-lib-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 25c3e09308197390c5c0df76efbe07ba
tomcat5-jasper-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 1a8713f2682af3afe9afad1ac2eca07c
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 30acf9f9334e0940774053a8b44afd5a
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: af6a35c0b9ed88029256837fdd2ca938
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: a4232781c03bf089336f136d4c330f35
tomcat5-server-lib-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 29a596b379d5abdb81685a4866a1c37a
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 4a743638f8c08463ffbf77b01d3c278b
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3b677daef9dd27a21b1a43ee89a1fcab
tomcat5-webapps-5.5.23-0jpp.1.0.3.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: decbc650352f601f99ba9e1ce00a1d93
 
s390x:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.s390x.rpm
File outdated by:  RHBA-2007:0545
    MD5: 4b9f1ae545f47c5193f84a931ae5d9fd
jakarta-commons-modeler-javadoc-1.1-8jpp.1.0.2.el5.s390x.rpm
File outdated by:  RHBA-2007:0545
    MD5: 69fa73755833087bce25e483907852c5
tomcat5-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 217a7f71294ebf01735a7c09bb8fe2ec
tomcat5-admin-webapps-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 0f53bdb25d5101dfd109db2c49750943
tomcat5-common-lib-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3e4bf168aa5b13bc40e728818f5274d4
tomcat5-jasper-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 976c554a4e4eeba6f94deff2211c9f30
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 938b932d303c8bbf07732926dca058e7
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 960d468fa04d6b98901df2465f22b47a
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 1d88a1cfbcc2caa757af582485f9ebef
tomcat5-server-lib-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 6d98bb027e1fe19a8714dc2cd9d6e6f3
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: ae7ff11b2bfe04a217b44ec11edabab8
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: fa4545887eedbfd367dc966d10d5e342
tomcat5-webapps-5.5.23-0jpp.1.0.3.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 90f4bccfccdeb243258acd31b8eb41db
 
x86_64:
jakarta-commons-modeler-1.1-8jpp.1.0.2.el5.x86_64.rpm
File outdated by:  RHBA-2007:0545
    MD5: 60b2813ec62e4a6395b46beb1da1a957
jakarta-commons-modeler-javadoc-1.1-8jpp.1.0.2.el5.x86_64.rpm
File outdated by:  RHBA-2007:0545
    MD5: 47199d1b84620a448efe1f05eb3cfc9c
tomcat5-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 186e93ce1a5632200ccdc9ca887cd605
tomcat5-admin-webapps-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 7cc08998016cd4efd4ae113e31005850
tomcat5-common-lib-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: e7efd7c2b493148f1020dac5b4954eaa
tomcat5-jasper-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c6200fc43f9440411b2754a47d4ca25a
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: aca88a67a573ade1738ac6142bd7a1fb
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 860411ffc918bba85ba91d470c38f478
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: d328f5626c19e13ca671eddc2e3dfb2a
tomcat5-server-lib-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c0e649a7e4df6c8368300c865da39024
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 261a7ece1e9465ceb2038ab14cabcf35
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: f344d08b6b6d40524a65af8aa1ae38b0
tomcat5-webapps-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: f327de085c367b1e37841db93ac7fd80
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
tomcat5-5.5.23-0jpp.1.0.3.el5.src.rpm
File outdated by:  RHSA-2013:0870
    MD5: cc46f7adab310f95bd5d84dcef6febd8
 
IA-32:
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: e69ffeb57454387a4b2df5e4a468524a
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.3.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 64568752869742380e58a3443e5942b0
 
x86_64:
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 860411ffc918bba85ba91d470c38f478
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.3.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 261a7ece1e9465ceb2038ab14cabcf35
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

237089 - CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/