[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Debian] Schwachstelle in tomcat4 - DSA 225-1

To: win-sec-ssc@xxxxxxxxxxx
Subject: [Debian] Schwachstelle in tomcat4 - DSA 225-1
From: win-sec-ssc@xxxxxxxxxxx
Date: Thu, 9 Jan 2003 16:20:51 +0100 (MET)
Delivery-date: Thu, 09 Jan 2003 16:31:22 +0100
Envelope-to: win-sec-ssc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,
 
soeben erreichte uns nachfolgende Warnung des Debian-Teams ueber
Sicherheitsprobleme in "tomcat4". Wir geben diese Informationen
unveraendert an Sie weiter.

Ein Programmierfehler in Apache "tomcat", einem Container fuer Java
Servlets und Java Server Pages (JSP) kann einem entfernten Angreifer
ermoeglichen, durch Uebergabe einer speziell aufgebauten URL an einen
betroffenen Webserver den Quelltext von JSP-Seiten anzuzeigen oder
andere geschuetzte Dateien aufzurufen, ohne sich authentifizieren zu
muessen.

Betroffen ist "tomcat4" in Debian GNU/Linux 3.0 (woody), 2.2 (potato)
und UNSTABLE (sid). Der Fehler ist behoben in der Version:

	4.0.3-3woody2 (woody) und
	4.1.16-1 (sid).

(c) der deutschen Zusammenfassung bei DFN-CERT GmbH; die Verbreitung,
auch auszugsweise, ist nur unter Hinweis auf den Urheber, DFN-CERT
GmbH, und nur zu nicht kommerziellen Zwecken gestattet.

Mit freundlichen Gruessen,

	Marco Thorbruegge, DFN-CERT

- -- 
Marco Thorbruegge        |              mailto:thorbruegge@xxxxxxxxxxx
DFN-CERT GmbH            |          http://www.cert.dfn.de/team/matho/
Oberstrasse 14b          |                    Phone: +49(40)808077-555
D-20144 Hamburg/Germany  |                      FAX: +49(40)808077-556
PGP-Key: 0xAE662425 Fingerpr.: 7E5C A77A F91D 63D1 02AB 9526 53FF F1A0 

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 225-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
January 9th, 2002                       http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : tomcat4
Vulnerability  : source disclosure
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2002-1394

A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases, which allows to use a specially crafted URL to return
the unprocessed source of a JSP page, or, under special circumstances,
a static resource which would otherwise have been protected by a
security constraint, without the need for being properly
authenticated.  This is based on a variant of the exploit that was
identified as CAN-2002-1148.

For the current stable distribution (woody) this problem has been
fixed in version 4.0.3-3woody2.

The old stable distribution (potato) does not contain tomcat packages.

For the unstable distribution (sid) this problem does not exist in the
current version 4.1.16-1.

We recommend that you upgrade your tomcat packages.


Installation Instructions
- - -------------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.dsc
      Size/MD5 checksum:      708 0911f7c03a0ab71133fbe95bf45d0d20
    http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.diff.gz
      Size/MD5 checksum:    15881 de9f6f0fb39374bfe4ece1ef4824d942
    http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz
      Size/MD5 checksum:  1588186 2b2e0d859f7152e5225633933e6585d6

  Architecture independent components:

    http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody2_all.deb
      Size/MD5 checksum:  1134258 680c67daebdd36eb879ce593e6362f3b
    http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody2_all.deb
      Size/MD5 checksum:  1167502 34f71826d8441f967e3da0ee4ab9a1be
    http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2_all.deb
      Size/MD5 checksum:   126444 e7dbc07086a7e349474bff877342cb6d


  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+HYzeW5ql+IAeqTIRAsF7AJwOJotOb7a4N02/Pk/J6dibAj6bagCbB7lY
zdY2WnKneQ1GPGV7ZMkutNk=
=mkx7
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQEVAgUBPh2TUHsh3gGuZiQlAQHFeAf6Akd0KVMZWuwP1TYWS7NA9AAr78uHX7Pz
nm4i5M8h5UwF5JXpuILhmbevHvFoVggmsE8ayQiuTg0ZVdedhO4AKSrcNYlzhawa
FJ40lU+lt2pspczl2w42UYv3oCSzFAGintHkzOQNL65t9AxUtFbIT85Jifp5pRiQ
V8lmG5juc2ohxW3x8o/+4OOqpSW2p5H6p31iAjf7hta2fiAsmC0M3ZFboeIi2qML
/5CNL3VjlOg6ppxns+X324C8B8LlCVLtcBQwsxKbmB4g/VFShOJtL2Z59AOi1CTB
ww05rp2GVlY58ZNeobDIJszLkm0VllKyXPnoUDsgsTaW6y9MmgCqYg==
=2nX1
-----END PGP SIGNATURE-----

Prev by Date: [Debian] Verschiedene Schwachstellen in canna - DSA 224-1
Next by Date: [SCO] Heap Overflow in fetchmail - CSSA-2003-001.0
Previous by thread: [Debian] Verschiedene Schwachstellen in canna - DSA 224-1
Next by thread: [SCO] Heap Overflow in fetchmail - CSSA-2003-001.0
Index(es):
- Date
- Thread