tomcat6-6.0.24-33.AXS4

エラータID: AXSA:2011-642:02

リリース日: 
2011/12/28 Wednesday - 12:19
題名: 
tomcat6-6.0.24-33.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.
Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world.
Security issues fixed with this release:
CVE-2010-3718
Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
CVE-2010-4172
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
CVE-2011-0013
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Software Foundation Tomcat 7.0 before 7.0.6, 5.5 before 5.5.32, and 6.0 before 6.0.30 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Fixed bugs:
- Multiple instances of Tomcat can be run simultaneously.
- Added a symbolic link to the "/usr/share/tomcat6/bin/tomcat-juli.jar" library needed by the "build-jar-repository" command.
- This update modifies the init script to work correctly regardless of the daemon user's login shell, preventing the following error message to appear: "This account is currently not available." Additionally, these new tomcat6 packages now set "/sbin/nologin" as the login shell for the "tomcat" user upon installation, as recommended by deployment best practices.
- Some standard Tomcat directories were missing write permissions for the "tomcat" group. This has been fixed and errors such as "No output folder" no longer appear.

解決策: 

Update packages.

CVE: 
CVE-2010-3718
Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
CVE-2010-4172
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
CVE-2011-0013
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.




追加情報: 

From Asianux Server 4 SP1.

ダウンロード: 

SRPMS
  1. tomcat6-6.0.24-33.AXS4.src.rpm
    MD5: d9edac95cfe30fd0a261f7c8d6f98aad
    SHA-256: 8d4e1bee18bd8934df251a564645b887f3fa8665b9214b28875eab3250200b23
    Size: 3.33 MB

Asianux Server 4 for x86
  1. tomcat6-6.0.24-33.AXS4.noarch.rpm
    MD5: 80adbf7a45a3949b9c21cad8934db49d
    SHA-256: 578fd7f67a526d9ca1962d08d62db8167eeb1d5bb92298b68c05fb031efad8c5
    Size: 85.92 kB
  2. tomcat6-el-2.1-api-6.0.24-33.AXS4.noarch.rpm
    MD5: fd7b4f9284f19053b0788a0cc410faa7
    SHA-256: 948e6bc92cbc654af857ad3322d463a8c7586f4692c431a4f485d99769d8265c
    Size: 41.26 kB
  3. tomcat6-jsp-2.1-api-6.0.24-33.AXS4.noarch.rpm
    MD5: 3daebad2b0fa3ab2539b5857a261f4e4
    SHA-256: d52e86bc1c4730b2fbfc1f659ee4744d1921aa98bc9c50191f5e38f7133f0a67
    Size: 78.15 kB
  4. tomcat6-lib-6.0.24-33.AXS4.noarch.rpm
    MD5: 1af824d360bb49f8f33f4251f1e78902
    SHA-256: cc54e74f4a8f38115590116bc62331b7d4e74209ed47d69b9da8ad48dfdb1335
    Size: 2.81 MB
  5. tomcat6-servlet-2.5-api-6.0.24-33.AXS4.noarch.rpm
    MD5: 5b6e868c3d2d7687276f6e4f871027fd
    SHA-256: ce282d574587691ec2902a0194f279e1bbddf41f18fc1c5fd44f3d2b3a3e2f47
    Size: 92.04 kB

Asianux Server 4 for x86_64
  1. tomcat6-6.0.24-33.AXS4.noarch.rpm
    MD5: a74adbf8dc73d73615490dc8eb20e3ea
    SHA-256: e2795c26565063bf774a05f9dcc109378386bd9d84dc6d6cdf8726ad2f49f762
    Size: 85.49 kB
  2. tomcat6-el-2.1-api-6.0.24-33.AXS4.noarch.rpm
    MD5: fe5b3ae048f59938924c18fac6cff940
    SHA-256: 42958b347a6003f41c0062c8e4815d76348fbf7e23bac830c0e2b3b4f243a2cc
    Size: 40.81 kB
  3. tomcat6-jsp-2.1-api-6.0.24-33.AXS4.noarch.rpm
    MD5: dabf861d20c9806138ea4d3ca768109c
    SHA-256: edb789329246d21760de63ddcdfba6a8b0d62753c44d1ff1f2b4947e56c020e7
    Size: 77.70 kB
  4. tomcat6-lib-6.0.24-33.AXS4.noarch.rpm
    MD5: f7386efb51a0b4346a199608c21ae8cb
    SHA-256: f1cbe89bc8a400e81962bb406097ddf7ae9361e6418f7f1225290e08df1719e0
    Size: 2.81 MB
  5. tomcat6-servlet-2.5-api-6.0.24-33.AXS4.noarch.rpm
    MD5: 0f1cf74f2993c7d4214fb690ec65a327
    SHA-256: 2180e972e248aac62aba3908cdc78d331b95a8217ce33ca60d90d12272dc6265
    Size: 91.59 kB