[security-announce] SUSE-SU-2012:0155-1: important: Security update for tomcat6

[news 28]

SUSE Security Update: Security update for tomcat6

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2012:0155-1

Rating: important

References: #735343 #742477

Cross-References: CVE-2011-1184 CVE-2011-5062 CVE-2011-5063

CVE-2011-5064

Affected Products:

SUSE Manager 1.2 for SLE 11 SP1

SUSE Linux Enterprise Server 11 SP1 for VMware

SUSE Linux Enterprise Server 11 SP1

______________________________________________________________________________

 

An update that fixes four vulnerabilities is now available.

 

Description:

 

 

This update fixes a regression in parameter passing (in

urldecoding of parameters that contain spaces).

 

In addition, multiple weaknesses in HTTP DIGESTS have been

fixed (CVE-2011-1184):

 

* CVE-2011-5062: The HTTP Digest Access Authentication

implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x

before 6.0.33 and 7.x before 7.0.12 does not check qop

values, which might allow remote attackers to bypass

intended integrity-protection requirements via a qop=auth

value, a different vulnerability than CVE-2011-1184.

* CVE-2011-5063: The HTTP Digest Access Authentication

implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x

before 6.0.33, and 7.x before 7.0.12 does not check realm

values, which might allow remote attackers to bypass

intended access restrictions by leveraging the availability

of a protection space with weaker authentication or

authorization requirements, a different vulnerability than

CVE-2011-1184.

* CVE-2011-5064: DigestAuthenticator.java in the HTTP

Digest Access Authentication implementation in Apache

Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x

before 7.0.12 uses Catalina as the hard-coded server secret

(aka private key), which makes it easier for remote

attackers to bypass cryptographic protection mechanisms by

leveraging knowledge of this string, a different

vulnerability than CVE-2011-1184.

 

Security Issue references:

 

* CVE-2011-1184

 

* CVE-2011-5062

 

* CVE-2011-5063

 

* CVE-2011-5064

 

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Manager 1.2 for SLE 11 SP1:

 

zypper in -t patch sleman12sp1-tomcat6-5759

 

- SUSE Linux Enterprise Server 11 SP1 for VMware:

 

zypper in -t patch slessp1-tomcat6-5759

 

- SUSE Linux Enterprise Server 11 SP1:

 

zypper in -t patch slessp1-tomcat6-5759

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Manager 1.2 for SLE 11 SP1 (noarch):

 

tomcat6-6.0.18-20.35.36.1

tomcat6-jsp-2_1-api-6.0.18-20.35.36.1

tomcat6-lib-6.0.18-20.35.36.1

tomcat6-servlet-2_5-api-6.0.18-20.35.36.1

 

- SUSE Linux Enterprise Server 11 SP1 for VMware (noarch):

 

tomcat6-6.0.18-20.35.36.1

tomcat6-admin-webapps-6.0.18-20.35.36.1

tomcat6-docs-webapp-6.0.18-20.35.36.1

tomcat6-javadoc-6.0.18-20.35.36.1

tomcat6-jsp-2_1-api-6.0.18-20.35.36.1

tomcat6-lib-6.0.18-20.35.36.1

tomcat6-servlet-2_5-api-6.0.18-20.35.36.1

tomcat6-webapps-6.0.18-20.35.36.1

 

- SUSE Linux Enterprise Server 11 SP1 (noarch):

 

tomcat6-6.0.18-20.35.36.1

tomcat6-admin-webapps-6.0.18-20.35.36.1

tomcat6-docs-webapp-6.0.18-20.35.36.1

tomcat6-javadoc-6.0.18-20.35.36.1

tomcat6-jsp-2_1-api-6.0.18-20.35.36.1

tomcat6-lib-6.0.18-20.35.36.1

tomcat6-servlet-2_5-api-6.0.18-20.35.36.1

tomcat6-webapps-6.0.18-20.35.36.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2011-1184.html

http://support.novell.com/security/cve/CVE-2011-5062.html

http://support.novell.com/security/cve/CVE-2011-5063.html

http://support.novell.com/security/cve/CVE-2011-5064.html

https://bugzilla.novell.com/735343

https://bugzilla.novell.com/742477

http://download.novell.com/patch/finder/?keywords=0caaafb09da77d4c28b53eeb14113592

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org