tomcat6-6.0.24-105.AXS4

エラータID: AXSA:2017-1345:01

Release date: 
Wednesday, March 15, 2017 - 21:21
Subject: 
tomcat6-6.0.24-105.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

Security issues fixed with this release:

CVE-2016-6816
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-8745
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update package.

CVEs: 
CVE-2016-6816
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
CVE-2016-8745
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat6-6.0.24-105.AXS4.src.rpm
    MD5: 33e58e37bf14a03c64f8de849a4d2627
    SHA-256: f49ea3226aca057e640228417f0b7d45f1d904e39ef311dcaa16500239b16dba
    Size: 3.64 MB

Asianux Server 4 for x86
  1. tomcat6-6.0.24-105.AXS4.noarch.rpm
    MD5: a3f16daf90e5c25da13f8f5f9deb2088
    SHA-256: c7d3e443cae49b104303f7c439c8fd7e06ce660964410b4542a5a717c056b4be
    Size: 94.76 kB
  2. tomcat6-el-2.1-api-6.0.24-105.AXS4.noarch.rpm
    MD5: a1fc094a6301595e781d48f233ab02fe
    SHA-256: 54065256a440122379d09003f853a6877fba90268b475ff45b5a6850afaec2c9
    Size: 50.55 kB
  3. tomcat6-jsp-2.1-api-6.0.24-105.AXS4.noarch.rpm
    MD5: 844c47d573b9d946c85e53186bdf4734
    SHA-256: 2b210ca7c4d23d989ea09d7d3c65ce459bfa49c092355bb19e0517b5cf1ec52b
    Size: 87.00 kB
  4. tomcat6-lib-6.0.24-105.AXS4.noarch.rpm
    MD5: c0da456c6b5ba32aba20d4ab1ae88c97
    SHA-256: a05c5e9439534ec7a4d85374e127a73e06a1d9a42e5b0e529b0037c5120c891b
    Size: 2.92 MB
  5. tomcat6-servlet-2.5-api-6.0.24-105.AXS4.noarch.rpm
    MD5: 5b135e76c635fcd4d1c2d582f95bb366
    SHA-256: a333d42b1d77898778e7d8ed46e200d9fb0152665b6174aed420600463849123
    Size: 121.03 kB

Asianux Server 4 for x86_64
  1. tomcat6-6.0.24-105.AXS4.noarch.rpm
    MD5: 72e1030778ddae5dedec9427d8be3d27
    SHA-256: 01fc8f0a4a7e04ebe8755c25bfdc5611847f5f3e85dfecf440244a6192c51e4b
    Size: 94.33 kB
  2. tomcat6-el-2.1-api-6.0.24-105.AXS4.noarch.rpm
    MD5: 1d6821d06c1767e8afa5e15710dc8b40
    SHA-256: a5573d6f34c9a75b1eabdcb0f3ca3f2304070031c332096ab1d6cc21097bed70
    Size: 50.09 kB
  3. tomcat6-jsp-2.1-api-6.0.24-105.AXS4.noarch.rpm
    MD5: 89cc28354692e670b3cd7f51d59082aa
    SHA-256: 47d29e80515280ece79dc4f580862a83ace3ed6147aa3c17a850cfd70b4f4641
    Size: 86.55 kB
  4. tomcat6-lib-6.0.24-105.AXS4.noarch.rpm
    MD5: 8423c45144a05d69ad9353ee32b8d0ed
    SHA-256: 45f89f8648d98b5d65470b32431dbc2adbe8df401cfce2efbe39dfeb7d9249a9
    Size: 2.92 MB
  5. tomcat6-servlet-2.5-api-6.0.24-105.AXS4.noarch.rpm
    MD5: 90eceaddff4b9def3b23082a1801821d
    SHA-256: 9a16d5f8aaf7a3b5c205de74ceae6bf05a10a6c49830b407c11546dcacffb197
    Size: 120.58 kB