tomcat5-5.5.23-0jpp.38.0.1.AXS3

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and released under the Apache Software License. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Security issues fixed with this release:

CVE-2012-3546
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

CVE-2012-5885
The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

CVE-2012-5886
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.

CVE-2012-5887
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.

Fixed bugs:

• The RELINK script is now called only if required bu the user: this solves some potential data loss windows when a problem occured duting Tomcat start if the RELINK script was running.

• Previously, the tomcat server would remove the single- or double-quotes from cookie names but the then the cookie values would be empty when passed to a servlet. This has been fixed.

• The OPTION request did not return the TRACE method as an allowed method and incorrectly reported TRACE as an allowed method. This has been fixed.

• Previously, Tomcat crashed with a NullPointerException if the context.xml file did not specify the docBase property. This situation is now handled and the path name to the context is used as docBase.Reminder: when deploying a context, the docBase attribute is mandatory.

• On IBM S/390 and 64-bit PowerPC systems, the Tomcat Administration Tool crashed and accessing failed with HTTP 404 because the JSP pre-compilation was disabled. JSP is now pre-compiled to prevent compilation at runtime and the Tomcat Administration Tool is accessible.

• tomcat reported a NullPointerException when a context was deployed with a web application and the etc/localhost/[webapp].xml file existed; this has been fixed.

• Added the missing tomcat-juli.jar library in Tomcat which prevented java.util.logging from working.

• The /etc/init.d/tomcat5 script returned an incorrect exit status when stopped. This has been fixed.