Skip to navigation

Security Advisory Moderate: tomcat security update

Advisory: RHSA-2007:0569-2
Type: Security Advisory
Severity: Moderate
Issued on: 2007-07-17
Last updated on: 2007-07-17
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2007-2449
CVE-2007-2450

Details

Updated tomcat packages that fix two security issues and a packaging bug
are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Tomcat is a servlet container for Java Servlet and JavaServer Pages (JSP)
technologies.

Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).

Note: it is recommended the 'examples' web application not be installed on
a production system.

The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).

Users of Tomcat should update to these erratum packages, which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm
File outdated by:  RHSA-2013:0870
    MD5: 15852dbd79c1d28ddc2a607b8c2cced6
 
IA-32:
tomcat5-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: afa9a78630f8858f46db1434ad45fa7b
tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 8c0ecbce40287f71f530360b0a769361
tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 7f2628a9557c146febed5442c522a6e0
tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: bc130f7c90ee690dc860712461ab9f82
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: b653cc7d8aae4bb246079a9a9ce950d8
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 80429d018c31e87244213a9762ad10d3
tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3e564a9d6f0abf8f74ac5fe00cc3de25
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: b8f6d1c37c68d463fbdee1426352618d
tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 7b4b8e5a891d09005bc8a1d2e1194d99
 
x86_64:
tomcat5-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 1db5f282b62d759beda12cf35f83734f
tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 74544541ba072e94b9970b5919db3892
tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3694bc19303c73cd46e75ca23d1051a4
tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 901f900e947eb38b8d17ef31238523cc
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 6835af3f3c0b9aa0deddac7e67ed79e0
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c4df3c21719e1cf5d38c19491651aa7e
tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 0d5f131c789ca95f59d0886939aa8fe7
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 66c20908529976c99cbf6bb41eecfbee
tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 672951c48aacff47f1124c896445b887
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm
File outdated by:  RHSA-2013:0870
    MD5: 15852dbd79c1d28ddc2a607b8c2cced6
 
IA-32:
tomcat5-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: afa9a78630f8858f46db1434ad45fa7b
tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 8c0ecbce40287f71f530360b0a769361
tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 7f2628a9557c146febed5442c522a6e0
tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: bc130f7c90ee690dc860712461ab9f82
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: b653cc7d8aae4bb246079a9a9ce950d8
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3100ed0342502126a609c5c15e78c764
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 80429d018c31e87244213a9762ad10d3
tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3e564a9d6f0abf8f74ac5fe00cc3de25
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 47ffd27d607f4755b5da7fa1a65c5c48
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: b8f6d1c37c68d463fbdee1426352618d
tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 7b4b8e5a891d09005bc8a1d2e1194d99
 
IA-64:
tomcat5-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 1fbb19614a5c9a5d72c120e29b5094d3
tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 77b1bf61e1ccb7e2af21d93105951997
tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: e1b01f270313d22a6b957c4336352bd6
tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: e1d93c56b0d3730914fe90694e7db9cd
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 9205bc162daa17e9f6314ed14e1f31bb
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 55ae893c5887213a4cc85cff3f482ec3
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: cf286fcf847a5325c0b3d2c8c1ff1c58
tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: b404c9faa4503e4fe41d1fe8b3a4a721
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: d697720c77f93baaada1540e35913198
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 56e8a796da04decd34bee5ba8616c284
tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.ia64.rpm
File outdated by:  RHSA-2013:0870
    MD5: fd8352214a62573bd2456c252f8fc186
 
PPC:
tomcat5-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: f8625d3b5ef073ac8de77b1bdf9f01a4
tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: d7804d9e2ee85e8adaadc3695f9a1fcf
tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 861f24537832282f47248a4d494eaad5
tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 36cee8546f804c0ea91fad586d9db6cd
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: e84767196956742319016c08fc59f4b9
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 05085799e57547f7b95370cf93097ad1
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: a9ff8fe3c28adfacc923accc2e02238f
tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: a32d42fb280bb96daa06abd576a315a2
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 37746d0e7931671779fbad9b61877703
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: d91221a346ce66fa021701440b6bc429
tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.ppc.rpm
File outdated by:  RHSA-2013:0870
    MD5: 2d1ab7c457ae33a9fe00f13c6a0f8b6a
 
s390x:
tomcat5-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3d86afce9e1b0a269701b5b2225d0ebb
tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 36b7b3706abeda4f31fdce022e6f266d
tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: deabcb46f038caa0aff7f173e2430db7
tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3e2c4780d83adf2ec2f75dabeeebc573
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 8e0ecac842e2079335a0a12a588b6cbc
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3389c6531f4ab0df5644f9a75890f798
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: fb0e8d1800a1154fdf9685e657471db5
tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 0a7e68052ce02e1f12561c4ba81804b9
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: 36d5b39eab1d8319e35672856ce73732
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: a5b178ad39e13481070be36675b936f0
tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.s390x.rpm
File outdated by:  RHSA-2013:0870
    MD5: b76e10eb457da5b811e8b340400e872b
 
x86_64:
tomcat5-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 1db5f282b62d759beda12cf35f83734f
tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 74544541ba072e94b9970b5919db3892
tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3694bc19303c73cd46e75ca23d1051a4
tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 901f900e947eb38b8d17ef31238523cc
tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 6835af3f3c0b9aa0deddac7e67ed79e0
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: cbfcdf5f827921a71fda67293f3e44a7
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c4df3c21719e1cf5d38c19491651aa7e
tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 0d5f131c789ca95f59d0886939aa8fe7
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c25daaf3feb30744afc65c08a359635b
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 66c20908529976c99cbf6bb41eecfbee
tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: 672951c48aacff47f1124c896445b887
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm
File outdated by:  RHSA-2013:0870
    MD5: 15852dbd79c1d28ddc2a607b8c2cced6
 
IA-32:
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 3100ed0342502126a609c5c15e78c764
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.i386.rpm
File outdated by:  RHSA-2013:0870
    MD5: 47ffd27d607f4755b5da7fa1a65c5c48
 
x86_64:
tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: cbfcdf5f827921a71fda67293f3e44a7
tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm
File outdated by:  RHSA-2013:0870
    MD5: c25daaf3feb30744afc65c08a359635b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

244804 - CVE-2007-2449 tomcat examples jsp XSS
244808 - CVE-2007-2450 tomcat host manager XSS
244846 - /var/tmp/rpm-tmp.25596: line 5: /usr/bin/rebuild-gcj-db: No such file or directory


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/