tomcat5-5.5.23-0jpp.9.0.1.AXS3
エラータID: AXSA:2010-401:01
リリース日:
2010/08/06 Friday - 15:09
題名:
tomcat5-5.5.23-0jpp.9.0.1.AXS3
影響のあるチャネル:
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- 第三者により、WAR ファイルのエントリの .. (ドットドット)を介して、任意のファイルを作成される、または上書きされる可能性があります。(CVE-2009-2693)
- Apache Tomcat の WEB アプリケーションのサンプル内にあるカレンダーアプリケーションの jsp/cal/cal2.jsp にはクロスサイトスクリプティング (XSS) 脆弱性が存在し, time パラメータによって, リモートの攻撃者が任意の WEB スクリプトあるいはHTML を注入する脆弱性があります。
なお, この脆弱性は CVE-2009-0781 の修正洩れによるものです。(CVE-2009-2696)
- Apache Tomcat には、ワークディレクトリのファイルを削除される脆弱性が存在します。(CVE-2009-2902)
- Apache Tomcat は不正な Transfer-Encoding ヘッダを適切に処理することができない問題があり, 巧妙に細工されたヘッダによってリモートの攻撃者がサービス拒否 (アプリケーションの機能停止) あるいは機密情報を得る脆弱性があります。(CVE-2010-2227)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2009-2693
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.
CVE-2009-2696
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
CVE-2009-2902
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.
CVE-2010-2227
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat5-5.5.23-0jpp.9.0.1.AXS3.src.rpm
MD5: 61726dc494dd04af3ea1e7a92e9d0eb7
SHA-256: 1cc8617a449bd7180e9374427af1cf1aebb5e79c814f8d99898d47cfdc13223a
Size: 4.73 MB
Asianux Server 3 for x86
- tomcat5-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: f6211a90675ac2e072ed394405a32fc1
SHA-256: 6afbbf0995dbe8e82523bde3f0f4218f4b190da18e31d5e3c916586ad268bcde
Size: 341.13 kB - tomcat5-admin-webapps-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: 6d3da4eb4e8cf2cb2e1d9ef091e4d04c
SHA-256: dc0e251262135a9bf75f90fa5dc7dd4ded78bbe49eb80a788088cd55e8c72ed5
Size: 3.02 MB - tomcat5-common-lib-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: d3b9b0f7fa2057136c74082c9b5303ac
SHA-256: 5cbd3ad7f668d34d987d9d5d67940dbd6f9b77d2c0c0a9c1c21545735113c5c8
Size: 199.76 kB - tomcat5-jasper-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: dadeb4ef7c25c09a82febf26b2013440
SHA-256: a45e8a7dd2650b8c923347a8d3147ed3b0ad054382ffbb3ce7c589f20f47eda5
Size: 0.96 MB - tomcat5-jasper-javadoc-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: 6bf85aa99fd60f3a37fad7b453e35c30
SHA-256: 4e46ad09959304308adaf198d614fcec96a9e11222435bd5e5fca8987be18729
Size: 280.85 kB - tomcat5-jsp-2.0-api-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: ec0f5852636dd4ae9ba5800a97e8a6f7
SHA-256: 0b7e75c95119ea6b61551aafc9cc48e867fb405446cab81ae7ae447696880d3d
Size: 96.35 kB - tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: 69a5d8c5a7f9ab9f2b95dadb15f200d0
SHA-256: e1b1fe6b9fd6acdf370c48e785442e0eb19443acf6a4611e147344a592774b91
Size: 148.69 kB - tomcat5-server-lib-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: c87125b3829d4ebdf387f240db0dfc43
SHA-256: ff4c76468c7be1c604c827da168fdfdc14c14d544586b110f2e69441a35d2ee6
Size: 3.59 MB - tomcat5-servlet-2.4-api-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: 63be29c3b29e742382fd523141876018
SHA-256: a7e9475c13f8489283ca42764b164af2bb4811aa93ef01653abc98e3d1272b10
Size: 153.23 kB - tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: cca82c0050a86e7310e7f46186312bc9
SHA-256: a37719e145bc7f02aca85b04e7d3e402a62173894c1135cedc7b6c08e8cd0b04
Size: 153.89 kB - tomcat5-webapps-5.5.23-0jpp.9.0.1.AXS3.i386.rpm
MD5: a9305e026d1400af8bf596bb0ee8b325
SHA-256: 9a71127c56d0d08b3de4635ba9308a58e27b98da68a60a99f3296b73625fece9
Size: 1.24 MB
Asianux Server 3 for x86_64
- tomcat5-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: ed9f4381bd0f317683081a15a1de7a2d
SHA-256: 8860d805765b29a73934659c2054e84cf9ebdf4e5d74386ccade55624d2ca9bd
Size: 363.36 kB - tomcat5-admin-webapps-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: 5237af3b7e2ad5c499bb32d9e0e39f12
SHA-256: c0960bc4607b8e6bac31924ecacaf1dded749175c2e5795daedaf2cdc5107835
Size: 3.44 MB - tomcat5-common-lib-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: f882e690c1cf8bc88d395ad929d1e63a
SHA-256: d9d59a292c8e14ef73f782c07660b1220b74c03fe2493ddacfb1f3b23c37cb40
Size: 224.09 kB - tomcat5-jasper-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: a0b3311005d3bbfac7f2c019c19ff886
SHA-256: c912ce3547ca2b6cdd1096a3bb2f5b0b57c7d00f727d53e29658663c429a23d3
Size: 1.09 MB - tomcat5-jasper-javadoc-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: 45cc10201db4ee33a999246eda77faf3
SHA-256: 0915e4cc9e3aa9c88b5b3f636a208de685b4db4f04c94783e4547f9f586f2f89
Size: 280.67 kB - tomcat5-jsp-2.0-api-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: 646e343ac6e178045cc420a1a1d06bc3
SHA-256: 26ca671bfcd3d2ca877bcbb2515f2d04ba292ceeb75b7aaac7ac0fda164f7ad2
Size: 102.66 kB - tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: 32a8f5b4ebafecf3e165955d118850a6
SHA-256: 9e0351f3da03480bf7b71e7fefa57edbd947028944ef7315f15c9d9f4777d76b
Size: 148.53 kB - tomcat5-server-lib-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: 749117b69f741a8a3ede2e218262eee8
SHA-256: efb1bee2b326c74454a354663bc27526515365c6bf0f2698b03a5e525c215821
Size: 4.06 MB - tomcat5-servlet-2.4-api-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: e50aa01f888f9f172866ab47b32cf001
SHA-256: d96785a93092e1b82576212bb94cd05f82c0fdf363ccaa9d67285cc742aed227
Size: 162.57 kB - tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: 3d85512510d35aa55e319bb4dab4b0ab
SHA-256: 74d364ba6344d5c7c593f158b06b7931e1b9f2f69993d3bdf65a21ddea1fa38b
Size: 153.74 kB - tomcat5-webapps-5.5.23-0jpp.9.0.1.AXS3.x86_64.rpm
MD5: 20c3031ad2f6e7fe3b98918cfb7a42f1
SHA-256: 61a082fa51d98c6cd970b690dd62d6a94c6606921c11a756087cc82c659fa09b
Size: 1.24 MB