Security Advisory Important: tomcat5 security update

Advisory: RHSA-2010:0693-1
Type: Security Advisory
Severity: Important
Issued on: 2010-09-10
Last updated on: 2010-09-10
Affected Products: Red Hat Certificate System v7.3
CVEs (cve.mitre.org): CVE-2009-2693
CVE-2009-2902
CVE-2010-2227

Details

Updated tomcat5 packages that fix three security issues are now available
for Red Hat Certificate System 7.3.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

A flaw was found in the way Tomcat handled the Transfer-Encoding header in
HTTP requests. A specially-crafted HTTP request could prevent Tomcat from
sending replies, or cause Tomcat to return truncated replies, or replies
containing data related to the requests of other users, for all subsequent
HTTP requests. (CVE-2010-2227)

This erratum fixes two additional security flaws in Tomcat. In a typical
operating environment, Tomcat is not exposed to users of Red Hat
Certificate System in a vulnerable manner. These fixes will reduce risk in
unique Certificate System environments. (CVE-2009-2693, CVE-2009-2902)

Users of Red Hat Certificate System 7.3 should upgrade to these updated
tomcat5 packages, which contain backported patches to correct these issues.
After installing the updated packages, the Red Hat Certificate System CA
(rhpki-ca), DRM (rhpki-kra), OCSP (rhpki-ocsp), and TKS (rhpki-tks)
subsystems must be restarted ("/etc/init.d/[instance-name] restart") for
this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Certificate System v7.3

SRPMS:
tomcat5-5.5.23-0jpp_4rh.19.src.rpm     MD5: b12a6a480c791552d18fcbfdb7e83bc1
SHA-256: ca74ea3c3dc3f21525850c298efb9088e1fef12a183273ba633ad6467cba2d2d
 
IA-32:
tomcat5-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: ada12cf7711af090e69fc5cdfdb12ecf
SHA-256: 59ba4865e0eb15e09b8a8ba5988a1ec99cb1b9c444ff14ce82396e580a98cb62
tomcat5-common-lib-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: cec4ff3e2d4fe81f95c27e5ee1275fb3
SHA-256: f7fd3e16bf849c997859eaa3c28d00d850ea81a81da9ad27003e48b8b839950b
tomcat5-jasper-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: 8cc992f441292e3d281cc0cc390113bf
SHA-256: 3887a01f87222ad796e3bd8ca59a6addee5f4fa7f83d773bd3a7e07b2a791fb0
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: 59b8c0354c3ef8d0661187d4efc07184
SHA-256: 7480c5e6e2ee60e319d73621d7539929153df1f8a5244cb7d93420bf51333567
tomcat5-server-lib-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: bfe02c54426d45abf17c363b5a748c4e
SHA-256: 302feff47282633321de51ec549b481aecde05835ffea6f4959ff006d34b9926
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: 7f3ea9d9599ac299120b7e785b237f7f
SHA-256: 1e7f4c2d7320347dd0c32e30605645a602cda7e1970b266bf636ca32f156ab4a
 
x86_64:
tomcat5-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: ada12cf7711af090e69fc5cdfdb12ecf
SHA-256: 59ba4865e0eb15e09b8a8ba5988a1ec99cb1b9c444ff14ce82396e580a98cb62
tomcat5-common-lib-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: cec4ff3e2d4fe81f95c27e5ee1275fb3
SHA-256: f7fd3e16bf849c997859eaa3c28d00d850ea81a81da9ad27003e48b8b839950b
tomcat5-jasper-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: 8cc992f441292e3d281cc0cc390113bf
SHA-256: 3887a01f87222ad796e3bd8ca59a6addee5f4fa7f83d773bd3a7e07b2a791fb0
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: 59b8c0354c3ef8d0661187d4efc07184
SHA-256: 7480c5e6e2ee60e319d73621d7539929153df1f8a5244cb7d93420bf51333567
tomcat5-server-lib-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: bfe02c54426d45abf17c363b5a748c4e
SHA-256: 302feff47282633321de51ec549b481aecde05835ffea6f4959ff006d34b9926
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.19.noarch.rpm     MD5: 7f3ea9d9599ac299120b7e785b237f7f
SHA-256: 1e7f4c2d7320347dd0c32e30605645a602cda7e1970b266bf636ca32f156ab4a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

559738 - CVE-2009-2693 tomcat: unexpected file deletion and/or alteration
559761 - CVE-2009-2902 tomcat: unexpected file deletion in work directory
612799 - CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Transfer-Encoding' header


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/