Oval Definition:oval:com.redhat.rhsa:def:20070327
Revision Date:2008-03-20Version:638
Title:RHSA-2007:0327: tomcat security update (Important)
Description:Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies.

  • Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090)

  • Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450)

  • The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195)

    Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2005-2090
    CVE-2006-7195
    CVE-2007-0450
    CVE-2007-1358
    RHSA-2007:0327
    RHSA-2007:0327-01
    RHSA-2007:0327-01
    Platform(s):Red Hat Enterprise Linux 5
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • tomcat5 is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5 is signed with Red Hat redhatrelease2 key
  • tomcat5-admin-webapps is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-admin-webapps is signed with Red Hat redhatrelease2 key
  • tomcat5-common-lib is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-common-lib is signed with Red Hat redhatrelease2 key
  • tomcat5-jasper is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-jasper is signed with Red Hat redhatrelease2 key
  • tomcat5-jasper-javadoc is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-jasper-javadoc is signed with Red Hat redhatrelease2 key
  • tomcat5-jsp-2.0-api is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-jsp-2.0-api is signed with Red Hat redhatrelease2 key
  • tomcat5-jsp-2.0-api-javadoc is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-jsp-2.0-api-javadoc is signed with Red Hat redhatrelease2 key
  • tomcat5-server-lib is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-server-lib is signed with Red Hat redhatrelease2 key
  • tomcat5-servlet-2.4-api is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-servlet-2.4-api is signed with Red Hat redhatrelease2 key
  • tomcat5-servlet-2.4-api-javadoc is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-servlet-2.4-api-javadoc is signed with Red Hat redhatrelease2 key
  • tomcat5-webapps is earlier than 0:5.5.23-0jpp.1.0.3.el5
  • AND tomcat5-webapps is signed with Red Hat redhatrelease2 key
  • jakarta-commons-modeler is earlier than 0:1.1-8jpp.1.0.2.el5
  • AND jakarta-commons-modeler is signed with Red Hat redhatrelease2 key
  • jakarta-commons-modeler-javadoc is earlier than 0:1.1-8jpp.1.0.2.el5
  • AND jakarta-commons-modeler-javadoc is signed with Red Hat redhatrelease2 key
    • BACK