Skip to navigation

Security Advisory Important: tomcat5 security update

Advisory: RHSA-2010:0583-1
Type: Security Advisory
Severity: Important
Issued on: 2010-08-02
Last updated on: 2010-08-02
Affected Products: Developer Suite v3 EL4
CVEs (cve.mitre.org): CVE-2010-2227

Details

Updated tomcat5 packages that fix one security issue are now available for
Red Hat Developer Suite 3.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

A flaw was found in the way Tomcat handled the Transfer-Encoding header in
HTTP requests. A specially-crafted HTTP request could prevent Tomcat from
sending replies, or cause Tomcat to return truncated replies, or replies
containing data related to the requests of other users, for all subsequent
HTTP requests. (CVE-2010-2227)

Users of Tomcat should upgrade to these updated packages, which contain a
backported patch to resolve this issue. Tomcat must be restarted for this
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Developer Suite v3 EL4

SRPMS:
tomcat5-5.5.23-0jpp_21rh.src.rpm     MD5: ae3681607d9334ff39e74cf889a775b9
SHA-256: 98d3cc4f5b9ed73e71c2b450cacfd268042677015cb80f6e0812b71767a5b7bc
 
IA-32:
tomcat5-5.5.23-0jpp_21rh.noarch.rpm     MD5: a7aea094d7a7e6e36dba20d9bcca4250
SHA-256: 0d03ff15045cf23554b1b6b2e65929b221a5bfff9aba79dec7381c4d4c5a9f91
tomcat5-common-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 2ff7c39456a7132fd33c289c501da172
SHA-256: dcf6f6090a5e59a74098fcaa46c0d31965547cedb6ff7fa92b1f3e20ada793bd
tomcat5-jasper-5.5.23-0jpp_21rh.noarch.rpm     MD5: 50f3de1e55aebee426cf72ef6fa3b179
SHA-256: 32131e117048228b659b44e8366ed065620deeceb1b87716f97339d7c6c85266
tomcat5-jsp-2.0-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: b66cc5ec0cbd5eb99aead78a872c29dc
SHA-256: 8fdfeceb5cbd5d4393696d868e909c85c3dac1393b607c3fcfa5c2076510cb43
tomcat5-server-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 7638e07b74b32b698b916ed53038fd51
SHA-256: 36d1041cfceca5b7c854bd557bc4429c72dab224f41477e04da62f497cc4676e
tomcat5-servlet-2.4-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: d045f3d2824483f4548817b25d921d4d
SHA-256: d3e5608b2ff3c377c95a206c4955dbf86763f81df45c8a6fc86b3c217d700a19
 
IA-64:
tomcat5-5.5.23-0jpp_21rh.noarch.rpm     MD5: a7aea094d7a7e6e36dba20d9bcca4250
SHA-256: 0d03ff15045cf23554b1b6b2e65929b221a5bfff9aba79dec7381c4d4c5a9f91
tomcat5-common-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 2ff7c39456a7132fd33c289c501da172
SHA-256: dcf6f6090a5e59a74098fcaa46c0d31965547cedb6ff7fa92b1f3e20ada793bd
tomcat5-jasper-5.5.23-0jpp_21rh.noarch.rpm     MD5: 50f3de1e55aebee426cf72ef6fa3b179
SHA-256: 32131e117048228b659b44e8366ed065620deeceb1b87716f97339d7c6c85266
tomcat5-jsp-2.0-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: b66cc5ec0cbd5eb99aead78a872c29dc
SHA-256: 8fdfeceb5cbd5d4393696d868e909c85c3dac1393b607c3fcfa5c2076510cb43
tomcat5-server-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 7638e07b74b32b698b916ed53038fd51
SHA-256: 36d1041cfceca5b7c854bd557bc4429c72dab224f41477e04da62f497cc4676e
tomcat5-servlet-2.4-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: d045f3d2824483f4548817b25d921d4d
SHA-256: d3e5608b2ff3c377c95a206c4955dbf86763f81df45c8a6fc86b3c217d700a19
 
PPC:
tomcat5-5.5.23-0jpp_21rh.noarch.rpm     MD5: a7aea094d7a7e6e36dba20d9bcca4250
SHA-256: 0d03ff15045cf23554b1b6b2e65929b221a5bfff9aba79dec7381c4d4c5a9f91
tomcat5-common-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 2ff7c39456a7132fd33c289c501da172
SHA-256: dcf6f6090a5e59a74098fcaa46c0d31965547cedb6ff7fa92b1f3e20ada793bd
tomcat5-jasper-5.5.23-0jpp_21rh.noarch.rpm     MD5: 50f3de1e55aebee426cf72ef6fa3b179
SHA-256: 32131e117048228b659b44e8366ed065620deeceb1b87716f97339d7c6c85266
tomcat5-jsp-2.0-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: b66cc5ec0cbd5eb99aead78a872c29dc
SHA-256: 8fdfeceb5cbd5d4393696d868e909c85c3dac1393b607c3fcfa5c2076510cb43
tomcat5-server-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 7638e07b74b32b698b916ed53038fd51
SHA-256: 36d1041cfceca5b7c854bd557bc4429c72dab224f41477e04da62f497cc4676e
tomcat5-servlet-2.4-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: d045f3d2824483f4548817b25d921d4d
SHA-256: d3e5608b2ff3c377c95a206c4955dbf86763f81df45c8a6fc86b3c217d700a19
 
x86_64:
tomcat5-5.5.23-0jpp_21rh.noarch.rpm     MD5: a7aea094d7a7e6e36dba20d9bcca4250
SHA-256: 0d03ff15045cf23554b1b6b2e65929b221a5bfff9aba79dec7381c4d4c5a9f91
tomcat5-common-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 2ff7c39456a7132fd33c289c501da172
SHA-256: dcf6f6090a5e59a74098fcaa46c0d31965547cedb6ff7fa92b1f3e20ada793bd
tomcat5-jasper-5.5.23-0jpp_21rh.noarch.rpm     MD5: 50f3de1e55aebee426cf72ef6fa3b179
SHA-256: 32131e117048228b659b44e8366ed065620deeceb1b87716f97339d7c6c85266
tomcat5-jsp-2.0-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: b66cc5ec0cbd5eb99aead78a872c29dc
SHA-256: 8fdfeceb5cbd5d4393696d868e909c85c3dac1393b607c3fcfa5c2076510cb43
tomcat5-server-lib-5.5.23-0jpp_21rh.noarch.rpm     MD5: 7638e07b74b32b698b916ed53038fd51
SHA-256: 36d1041cfceca5b7c854bd557bc4429c72dab224f41477e04da62f497cc4676e
tomcat5-servlet-2.4-api-5.5.23-0jpp_21rh.noarch.rpm     MD5: d045f3d2824483f4548817b25d921d4d
SHA-256: d3e5608b2ff3c377c95a206c4955dbf86763f81df45c8a6fc86b3c217d700a19
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

612799 - CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Transfer-Encoding' header


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/