[security-announce] openSUSE-SU-2012:0208-1: important: tomcat6: Fix multiple weaknesses in HTTP DIGESTS

[news 28]

openSUSE Security Update: tomcat6: Fix multiple weaknesses in HTTP DIGESTS

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2012:0208-1

Rating: important

References: #742477

Cross-References: CVE-2011-1184 CVE-2011-5062 CVE-2011-5063

CVE-2011-5064

Affected Products:

openSUSE 11.4

______________________________________________________________________________

 

An update that fixes four vulnerabilities is now available.

 

Description:

 

This update fixes a regression in parameter passing (in

urldecoding of parameters that contain spaces).

 

In addition, multiple weaknesses in HTTP DIGESTS are fixed

(CVE-2011-1184).

 

 

CVE-2011-5062: The HTTP Digest Access Authentication

implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x

before 6.0.33 and 7.x before 7.0.12 does not check qop

values, which might allow remote attackers to bypass

intended integrity-protection requirements via a qop=auth

value, a different vulnerability than CVE-2011-1184.

 

CVE-2011-5063: The HTTP Digest Access Authentication

implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x

before 6.0.33, and 7.x before 7.0.12 does not check realm

values, which might allow remote attackers to bypass

intended access restrictions by leveraging the availability

of a protection space with weaker authentication or

authorization requirements, a different vulnerability than

CVE-2011-1184.

 

CVE-2011-5064: DigestAuthenticator.java in the HTTP Digest

Access Authentication implementation in Apache Tomcat 5.5.x

before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12

uses Catalina as the hard-coded server secret (aka private

key), which makes it easier for remote attackers to bypass

cryptographic protection mechanisms by leveraging knowledge

of this string, a different vulnerability than

CVE-2011-1184.

 

 

Special Instructions and Notes:

 

Please reboot the system after installing this update.

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 11.4:

 

zypper in -t patch tomcat6-5765

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 11.4 (noarch):

 

tomcat6-6.0.32-7.14.1

tomcat6-admin-webapps-6.0.32-7.14.1

tomcat6-docs-webapp-6.0.32-7.14.1

tomcat6-el-1_0-api-6.0.32-7.14.1

tomcat6-javadoc-6.0.32-7.14.1

tomcat6-jsp-2_1-api-6.0.32-7.14.1

tomcat6-lib-6.0.32-7.14.1

tomcat6-servlet-2_5-api-6.0.32-7.14.1

tomcat6-webapps-6.0.32-7.14.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2011-1184.html

http://support.novell.com/security/cve/CVE-2011-5062.html

http://support.novell.com/security/cve/CVE-2011-5063.html

http://support.novell.com/security/cve/CVE-2011-5064.html

https://bugzilla.novell.com/742477

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org