Oval Definition:oval:com.redhat.rhsa:def:20080648
Revision Date:2008-08-27Version:643
Title:RHSA-2008:0648: tomcat security update (Important)
Description:Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

  • A cross-site scripting vulnerability was discovered in the HttpServletResponse.sendError() method. A remote attacker could inject arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232)

  • An additional cross-site scripting vulnerability was discovered in the host manager application. A remote attacker could inject arbitrary web script or HTML via the hostname parameter. (CVE-2008-1947)

  • A traversal vulnerability was discovered when using a RequestDispatcher in combination with a servlet or JSP. A remote attacker could utilize a specially-crafted request parameter to access protected web resources. (CVE-2008-2370)

  • An additional traversal vulnerability was discovered when the "allowLinking" and "URIencoding" settings were activated. A remote attacker could use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process. (CVE-2008-2938)

    Users of tomcat should upgrade to these updated packages, which contain backported patches to resolve these issues.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2008-1232
    CVE-2008-1947
    CVE-2008-2370
    CVE-2008-2938
    RHSA-2008:0648
    RHSA-2008:0648-01
    RHSA-2008:0648-01
    Platform(s):Red Hat Enterprise Linux 5
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • tomcat5 is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5 is signed with Red Hat redhatrelease2 key
  • tomcat5-admin-webapps is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-admin-webapps is signed with Red Hat redhatrelease2 key
  • tomcat5-common-lib is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-common-lib is signed with Red Hat redhatrelease2 key
  • tomcat5-jasper is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-jasper is signed with Red Hat redhatrelease2 key
  • tomcat5-jasper-javadoc is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-jasper-javadoc is signed with Red Hat redhatrelease2 key
  • tomcat5-jsp-2.0-api is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-jsp-2.0-api is signed with Red Hat redhatrelease2 key
  • tomcat5-jsp-2.0-api-javadoc is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-jsp-2.0-api-javadoc is signed with Red Hat redhatrelease2 key
  • tomcat5-server-lib is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-server-lib is signed with Red Hat redhatrelease2 key
  • tomcat5-servlet-2.4-api is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-servlet-2.4-api is signed with Red Hat redhatrelease2 key
  • tomcat5-servlet-2.4-api-javadoc is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-servlet-2.4-api-javadoc is signed with Red Hat redhatrelease2 key
  • tomcat5-webapps is earlier than 0:5.5.23-0jpp.7.el5_2.1
  • AND tomcat5-webapps is signed with Red Hat redhatrelease2 key
    • BACK