tomcat5-5.5.23-0jpp.7.1.1AXS3

エラータID: AXSA:2008-90:02

リリース日: 
2008/09/22 Monday - 12:53
題名: 
tomcat5-5.5.23-0jpp.7.1.1AXS3
影響のあるチャネル: 
Asianux Server 3 for ppc
Asianux Server 3 for ia64
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
Apache Tomcat には、HttpServletResponse.sendError メソッドへの message 引数の取り扱いに不備があり、クロスサイトスクリプティングの脆弱性が存在します。 (CVE-2008-1232)

Apache Tomcat の host-manager には、name パラメータ (ホスト名属性) の処理に問題があるため、クロスサイトスクリプティングの脆弱性が存在します。 (CVE-2008-1947)

Apache Tomcat は RequestDispatcher を使用している場合、URI からのクエリ文字列を削除する前にパスの正常化が動作するため、ディレクトリトラバーサルの脆弱性が存在します。 (CVE-2008-2370)

Apache Tomcat には、allowLinking および UTF-8 を有効にしている場合に、ディレクトリトラバーサルの脆弱性が存在します。(CVE-2008-2938)

一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/

解決策: 

パッケージをアップデートしてください

CVE: 
CVE-2008-1232
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.
CVE-2008-1947
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.
CVE-2008-2370
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.
CVE-2008-2938
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.


追加情報: 

N/A

ダウンロード: 

Asianux Server 3 for x86
  1. tomcat5-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 20495bdf43b225f673a3a1fffe43f73d
    SHA-256: fe460ca9789714fd8283dd6fe9c05fd92d33eda6d0f12af458b200dda832d1af
    Size: 323.55 kB
  2. tomcat5-admin-webapps-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 21c2189c49633a238dd6ba48141d4af6
    SHA-256: 8f82c3881097709f0dd254a85a26f72587c8ca23ec9f676fbee89a398cd20fef
    Size: 3.03 MB
  3. tomcat5-common-lib-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 1b0e776e049bfd0df36b5c28bd6d6e7f
    SHA-256: 747a1e074427eed9e17b6afb18ccce05423c020a661c32bfd10991d8a5e69de3
    Size: 185.06 kB
  4. tomcat5-jasper-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 39b672c9d3e8c3a5203de4f32d78a56c
    SHA-256: 3d0c66c60dce4f92148464afcbdb1336d7d16b760dde20b5ba6db2b5769c9961
    Size: 969.47 kB
  5. tomcat5-jasper-javadoc-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 0ffd4125e98cfe8bd2d5e27244509000
    SHA-256: cdc4f2af7386577e57561fc46022bf7c999d7b2eb24e34ca42cba89190380f7e
    Size: 281.48 kB
  6. tomcat5-jsp-2.0-api-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 8f1379b2c11830bfc053e96b3e42623a
    SHA-256: 68d62692e94fd78b12f0f4c61a64bb8c4dfea6c8e86364d5fa6da360f874a598
    Size: 81.84 kB
  7. tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: c2f17d9fa9990041b359a33d8cadae03
    SHA-256: c4916c1075e5d8319fb1fe1f65735894c273c9024b5b9a4cd8866f183b0eabae
    Size: 140.05 kB
  8. tomcat5-server-lib-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: ea34a677cce7c61fddd5c2b63f332b9e
    SHA-256: 5946734fe6b3d4a5f81d7e3fa64f721390cf1e24d4ef7e69a526f2be133be5f0
    Size: 3.57 MB
  9. tomcat5-servlet-2.4-api-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 9b520dee07d3e4eed6083475270a408c
    SHA-256: 3e5e0e026558c3102b89e71823637495505956e9772670044df09f2d5dc57d07
    Size: 138.46 kB
  10. tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 658802ce5877b21129c6856fe20b70a3
    SHA-256: e13e2b51f530bf7f2e82b63a5f11a7db00b05af5912f3fa4ca53f2d91324b82e
    Size: 147.23 kB
  11. tomcat5-webapps-5.5.23-0jpp.7.1.1AXS3.i386.rpm
    MD5: 33c2958152c195351a73439f451ccb0a
    SHA-256: 1085b18d5547b648f4d3039df8297e65ef6f0e14b0d9af02e1c6c17faa923206
    Size: 1.25 MB

Asianux Server 3 for x86_64
  1. tomcat5-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: 2b45fa1eb970c576c6efbdb189eb5f45
    SHA-256: 543ce72dc93556bc34d8c8231df935d50d4059d1941c2d8a5084527604dd3db1
    Size: 346.47 kB
  2. tomcat5-admin-webapps-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: ba22d95dfc242488d81259b9372f47f5
    SHA-256: 80d11a23058d9d985cc2dac1642060fd64efdfd3505d356cd92b56876dc3f00e
    Size: 3.44 MB
  3. tomcat5-common-lib-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: 7218913e3dc928c8a229a8b035001317
    SHA-256: c4a9e5b2e0b14154232ce91b27a21c88577eff63c489049803ffca8967680c17
    Size: 208.60 kB
  4. tomcat5-jasper-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: 9bfcf4179273950fe63b35f81e1b0dbb
    SHA-256: 0d731ca211b7343c1ae89d4f3172bb04a2e1fa1fa4b7c8af9b577f38741db771
    Size: 1.08 MB
  5. tomcat5-jasper-javadoc-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: 6deb143681b5bc81bc7bf65765201d91
    SHA-256: debc4103de86af636485597f65fb7ff068274ed95b6382ae32d06a72ff144f76
    Size: 281.24 kB
  6. tomcat5-jsp-2.0-api-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: c1c89f60452514e4606c426190698588
    SHA-256: e72d819c708a9c747e09a5f96a83e38c432cabf83498b2e45ec11fe158553fbf
    Size: 88.19 kB
  7. tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: b75ed2a6045949ad2b7b486359492a34
    SHA-256: 7f9fb9776dfbac102db296c3e02a85c0c00c923ea45d16261590469e2427d057
    Size: 140.13 kB
  8. tomcat5-server-lib-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: 9284ae179b10ce81851faac34f2600b3
    SHA-256: d98ccda73608712a0d6850115a0efe26c0ce465edea74ad60a2cccab5225f87d
    Size: 4.04 MB
  9. tomcat5-servlet-2.4-api-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: 67ff720c085a40fd488b1a4d0fa21ff7
    SHA-256: 081798451b1e492bf6bfefe88b674bcc9b659bf1b30cbe3d1aa708b1a5acd6d6
    Size: 147.43 kB
  10. tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: a2c0cbe2b4e96f9598776e7082ef942a
    SHA-256: 9b2f26b14bcb1efad93fe338560f394ea8d9af064070a80b4bd618cd76807995
    Size: 147.24 kB
  11. tomcat5-webapps-5.5.23-0jpp.7.1.1AXS3.x86_64.rpm
    MD5: f22af6b1467adf5ac73519b9c7c24e65
    SHA-256: 377e3c3a213c9ff7fd6526456024c294aeb78881c8960d008ffcd357ad5ac4e8
    Size: 1.26 MB