- Vulnerability/
- RHSA-2007:0327
RHSA-2007:0327: Important: tomcat security update
First published: Mon May 14 2007(Updated: )
Tomcat is a servlet container for Java Servlet and JavaServer Pages<br>technologies.<br>Tomcat was found to accept multiple content-length headers in a<br>request. This could allow attackers to poison a web-cache, bypass web<br>application firewall protection, or conduct cross-site scripting attacks. <br>(CVE-2005-2090)<br>Tomcat permitted various characters as path delimiters. If Tomcat was used<br>behind certain proxies and configured to only proxy some contexts, an<br>attacker could construct an HTTP request to work around the context<br>restriction and potentially access non-proxied content. (CVE-2007-0450)<br>The implict-objects.jsp file distributed in the examples webapp displayed a<br>number of unfiltered header values. If the JSP examples were accessible,<br>this flaw could allow a remote attacker to perform cross-site scripting<br>attacks. (CVE-2006-7195)<br>Users should upgrade to these erratum packages which contain an update to<br>Tomcat that resolves these issues. Updated jakarta-commons-modeler<br>packages are also included which correct a bug when used with Tomcat 5.5.23.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jakarta-commons-modeler | <1.1-8jpp.1.0.2.el5 | 1.1-8jpp.1.0.2.el5 |
| redhat/tomcat5 | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/jakarta-commons-modeler | <1.1-8jpp.1.0.2.el5 | 1.1-8jpp.1.0.2.el5 |
| redhat/jakarta-commons-modeler-javadoc | <1.1-8jpp.1.0.2.el5 | 1.1-8jpp.1.0.2.el5 |
| redhat/tomcat5 | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-admin-webapps | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-common-lib | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jasper | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jasper-javadoc | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jsp | <2.0-api-5.5.23-0jpp.1.0.3.el5 | 2.0-api-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jsp | <2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5 | 2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-server-lib | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-servlet | <2.4-api-5.5.23-0jpp.1.0.3.el5 | 2.4-api-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-servlet | <2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5 | 2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-webapps | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/jakarta-commons-modeler-javadoc | <1.1-8jpp.1.0.2.el5 | 1.1-8jpp.1.0.2.el5 |
| redhat/tomcat5-admin-webapps | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-common-lib | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jasper | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jasper-javadoc | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jsp | <2.0-api-5.5.23-0jpp.1.0.3.el5 | 2.0-api-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-jsp | <2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5 | 2.0-api-javadoc-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-server-lib | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-servlet | <2.4-api-5.5.23-0jpp.1.0.3.el5 | 2.4-api-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-servlet | <2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5 | 2.4-api-javadoc-5.5.23-0jpp.1.0.3.el5 |
| redhat/tomcat5-webapps | <5.5.23-0jpp.1.0.3.el5 | 5.5.23-0jpp.1.0.3.el5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2007:0327
- agent/software-canonical-lookup
- package-manager/redhat