FS#6616 - Warning on tomcat
Attached to Project:
Arch Linux
Opened by DaNiMoTh (DaNiMoTh) - Saturday, 17 March 2007, 16:40 GMT
Last edited by Roman Kyrylych (Romashka) - Sunday, 18 March 2007, 07:54 GMT
Opened by DaNiMoTh (DaNiMoTh) - Saturday, 17 March 2007, 16:40 GMT
Last edited by Roman Kyrylych (Romashka) - Sunday, 18 March 2007, 07:54 GMT
|
Details
------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#18 ------------------------------------------------------------ Name: tomcat Date: 2007-03-17 Severity: Normal Warning #: 2007-#18 ------------------------------------------------------------ Product Background =================== The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Problem Background =================== * The only character found to be accepted as directory separator from Apache is "/" (slash). * On the other hand Tomcat allows characters including URI encoded characters like "/" (slash), "\" (backslash) or "%5C" (backslash URI encoded). This allowing an attacker to utilize directory traversing attack methods. Depending on the configuration HTTP requests, including strings like "/\../" allow attackers to break out of the given context- and directory structures. Impact ========== If the Apache HTTP Server and Tomcat are configured to interoperate with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an attacker might be able to break out of the intended destination path up to the webroot in Tomcat. Problem Packages =================== Package: tomcat Gepo: extra Group: network Unsafe: < 5.2.22 Safe: >= 5.2.22 Package Fix =================== Upgrade to 5.2.22. On official site [ http://tomcat.apache.org/ ] I see that there is a 5.2.23 version. Feel free to upgrade to this version, if developers think it is useful. ==================== Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 http://www.securityfocus.com/archive/1/462791/30/60/threaded |
This task depends upon
Closed by Simo Leone (neotuli)
Sunday, 18 March 2007, 22:55 GMT
Reason for closing: Fixed
Additional comments about closing: upgraded to 5.5.23
Sunday, 18 March 2007, 22:55 GMT
Reason for closing: Fixed
Additional comments about closing: upgraded to 5.5.23