FSA/FC6/FEDORA-2007-514-1

Fedora Core 6 Update: tomcat5-5.5.23-0jpp.2.fc6
- Fedora Update Notification FEDORA-2007-514 2007-05-21 -

Product    : Fedora Core 6 Name       : tomcat5 Version    : 5.5.23 Release    : 0jpp.2.fc6 Summary    : Apache Servlet/JSP Engine, RI for Servlet 2.4/JSP 2.0 API Description : Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and released under the Apache Software License. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

- Update Information:

Several security issues were reported to be fixed in releases prior to 5.5.23 (http://tomcat.apache.org/security-5.html)

Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450)

The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195)

Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23.

- - Rebuild - Add catalina.out to the rpm and set explicit permissions; tomcat ownership - Resolves: bug 237088 - Resolves: bug 237088 - Merge 0:5.5.17-8jpp.2 with sources/patches from 5.5.23 - Build against jakarta-commons-modeler 1.1 with MODELER-15 patch - Changed PreReq to Requires(pre) - Merge with upstream - Fix condrestart in init script and location of init script in the spec file. - Add the new config file, and add the CONNECTOR_PORT variable in it. - Add the ability to start multiple instances of tomcat on the same machine.
 * Tue May 8 2007 Vivek Lakshmanan - 0:5.5.23-0jpp.2
 * Mon Apr 23 2007 Vivek Lakshmanan - 0:5.5.23-0jpp.1
 * Thu Jan 18 2007 Rafael Schloming - 0:5.5.17-8jpp.2
 * Wed Oct 4 2006 Fernando Nasser 0:5.5.17-8jpp.1
 * Wed Oct 4 2006 Permaine Cheung 0:5.5.17-8jpp
 * Mon Oct 2 2006 Permaine Cheung 0:5.5.17-7jpp
 * Mon Oct 2 2006 Permaine Cheung 0:5.5.17-6jpp

- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/

4cca27a62b490d4bf7bf7260953cdda3fe7b9632 SRPMS/tomcat5-5.5.23-0jpp.2.fc6.src.rpm 4cca27a62b490d4bf7bf7260953cdda3fe7b9632 noarch/tomcat5-5.5.23-0jpp.2.fc6.src.rpm fa28a89b09743ddcbb66a3c4e3d93ddee0e61f80 ppc/tomcat5-webapps-5.5.23-0jpp.2.fc6.ppc.rpm babc63085ca6d10b9d8929c182d32284d087882a ppc/debug/tomcat5-debuginfo-5.5.23-0jpp.2.fc6.ppc.rpm 59294e81a221af65ef7aa1e6dc482896f05bf2da ppc/tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.2.fc6.ppc.rpm 626197a35ffb3d02153b84aa237309008ed67e1f ppc/tomcat5-servlet-2.4-api-5.5.23-0jpp.2.fc6.ppc.rpm 5f3a626c616d94886d89e61e3bf58891748c92d7 ppc/tomcat5-admin-webapps-5.5.23-0jpp.2.fc6.ppc.rpm 4ae8d9162d6bd4df4adbfc89de8ed436027d8072 ppc/tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.2.fc6.ppc.rpm a033072d572483f5a01585330a487d72fdc9d454 ppc/tomcat5-5.5.23-0jpp.2.fc6.ppc.rpm 5c94bb64a50ce805f67ca754d03c324d3ee9c191 ppc/tomcat5-common-lib-5.5.23-0jpp.2.fc6.ppc.rpm cfde40d1adeaca9bd3e0c8f7724d8cac6746e66a ppc/tomcat5-jsp-2.0-api-5.5.23-0jpp.2.fc6.ppc.rpm 9714969cd5a2e095aa98a3241e106e942f718c78 ppc/tomcat5-jasper-5.5.23-0jpp.2.fc6.ppc.rpm f83be623d67da74aa707dc9c2cd8e404fd9ab388 ppc/tomcat5-server-lib-5.5.23-0jpp.2.fc6.ppc.rpm 204e54dc778e70928bf0b3f9da4ad4eac7eb645a ppc/tomcat5-jasper-javadoc-5.5.23-0jpp.2.fc6.ppc.rpm 06be1666b690dbdd52f91128e0b3ba91adccedc1 x86_64/tomcat5-5.5.23-0jpp.2.fc6.x86_64.rpm 842bf589d1e6734fb192dd934486153d44a6ef43 x86_64/tomcat5-admin-webapps-5.5.23-0jpp.2.fc6.x86_64.rpm 3976f5f7b0e59976a13ac56d39ebf9c666e1ba8f x86_64/debug/tomcat5-debuginfo-5.5.23-0jpp.2.fc6.x86_64.rpm 2b57e22fce9d78a248218aa4c7b33132796a8640 x86_64/tomcat5-server-lib-5.5.23-0jpp.2.fc6.x86_64.rpm 95896ca7579076120463d0beb1cc613254292796 x86_64/tomcat5-common-lib-5.5.23-0jpp.2.fc6.x86_64.rpm 0085f20c161c502511dfd25233747b302d5a7521 x86_64/tomcat5-jasper-javadoc-5.5.23-0jpp.2.fc6.x86_64.rpm 6d30e6f4c472916dd262c0056192ed880abcbb45 x86_64/tomcat5-jsp-2.0-api-5.5.23-0jpp.2.fc6.x86_64.rpm 89d644b14afa349fffe4d24d6a37416b5ac45e11 x86_64/tomcat5-servlet-2.4-api-5.5.23-0jpp.2.fc6.x86_64.rpm 7e6ad962c2c3915442a81ea71939e0004e917678 x86_64/tomcat5-webapps-5.5.23-0jpp.2.fc6.x86_64.rpm 4ff870f0ee9d6d23a7f2abf1883700270efefbb8 x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.2.fc6.x86_64.rpm f71f1eca6dd73bc4e02664d12e846fb4e3aa3b03 x86_64/tomcat5-jasper-5.5.23-0jpp.2.fc6.x86_64.rpm 7a2a66f27f119ae7de932733930375b751c1bc6f x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.2.fc6.x86_64.rpm 29b88174aaf36c0bab7fd70973aacfed1502a471 i386/tomcat5-common-lib-5.5.23-0jpp.2.fc6.i386.rpm 6bd22d9f96ada74ef5402fb613da90a670024115 i386/tomcat5-5.5.23-0jpp.2.fc6.i386.rpm 2d0f392b9c90f05524d30ffaf0b138d5d5adb7ea i386/tomcat5-webapps-5.5.23-0jpp.2.fc6.i386.rpm 2dca87727af3ddfaf28cf673f30ca4dc445189d5 i386/tomcat5-jasper-5.5.23-0jpp.2.fc6.i386.rpm bba9784fb0f9d1754b4299d68ebfb35a2c760691 i386/tomcat5-jsp-2.0-api-5.5.23-0jpp.2.fc6.i386.rpm adb7176bd20f5cd86f024f166c6c052441ffc096 i386/debug/tomcat5-debuginfo-5.5.23-0jpp.2.fc6.i386.rpm f225deb128e8efde1996eb85b60fc42d1da5fb5c i386/tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.2.fc6.i386.rpm 76338c98164ff4eb037c740c48c8c529228e3281 i386/tomcat5-jasper-javadoc-5.5.23-0jpp.2.fc6.i386.rpm 4cdb79d010d57caa239a46d4347b63156bcf49cb i386/tomcat5-server-lib-5.5.23-0jpp.2.fc6.i386.rpm b0420a7cd4d585cded56c51b04f3af437fc4c338 i386/tomcat5-servlet-2.4-api-5.5.23-0jpp.2.fc6.i386.rpm 9ab2e7349e93b75bd26963ce34acb83786e551bd i386/tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.2.fc6.i386.rpm 2cca945073dc983aa08d9f4d2964fb4f575eb5b8 i386/tomcat5-admin-webapps-5.5.23-0jpp.2.fc6.i386.rpm

This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://fedora.redhat.com/docs/yum/. -