[Secure-testing-team] Bug#532362: CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2009-0781: Apache Tomcat 6 Multiple Vulnerabilities

Giuseppe Iuculano giuseppe at iuculano.it
Mon Jun 8 20:34:08 UTC 2009 

Package: tomcat6
Version: 6.0.16-1 6.0.18-dfsg1-1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for tomcat6.

CVE-2009-0033[0]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when the Java AJP connector and mod_jk load balancing
| are used, allows remote attackers to cause a denial of service
| (application outage) via a crafted request with invalid headers,
| related to temporary blocking of connectors that have encountered
| errors, as demonstrated by an error involving a malformed HTTP Host
| header.

CVE-2009-0580[1]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18, when FORM authentication is used, allows remote
| attackers to enumerate valid usernames via requests to
| /j_security_check with malformed URL encoding of passwords, related to
| improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
| and (3) JDBCRealm authentication realms, as demonstrated by a %
| (percent) value for the j_password parameter.

CVE-2009-0783[2]:
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
| through 6.0.18 permits web applications to replace an XML parser used
| for other web applications, which allows local users to read or modify
| the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
| applications via a crafted application that is loaded earlier than the
| target application.

CVE-2009-0781[3]:
| Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the
| calendar application in the examples web application in Apache Tomcat
| 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18
| allows remote attackers to inject arbitrary web script or HTML via the
| time parameter, related to "invalid HTML."



These are already fixed in debian unstable (6.0.20-1).
Please coordinate with the security team (team at security.debian.org) to
prepare packages for the stable releases.


If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
    http://security-tracker.debian.net/tracker/CVE-2009-0033
    Patch: http://svn.apache.org/viewvc?rev=742915&view=rev
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
    http://security-tracker.debian.net/tracker/CVE-2009-0580
    Patch: http://svn.apache.org/viewvc?rev=747840&view=rev
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
    http://security-tracker.debian.net/tracker/CVE-2009-0783
    Patch: http://svn.apache.org/viewvc?rev=652592&view=rev http://svn.apache.org/viewvc?rev=739522&view=rev
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
    http://security-tracker.debian.net/tracker/CVE-2009-0781
    Patch: http://svn.apache.org/viewvc?rev=750924&view=rev



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkotdbwACgkQNxpp46476aqNMgCeJKI5of2DuyyPIT/m7Ux0Uwxi
f0wAn3L1SyaQvA0I+ii/ityAqzfDeNJR
=WojC
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list