[ubuntu/lucid-security] tomcat6 6.0.24-2ubuntu1.9 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Tue Nov 8 13:03:55 UTC 2011 

tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184

Date: Mon, 26 Sep 2011 11:53:28 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/lucid/+source/tomcat6/6.0.24-2ubuntu1.9
-------------- next part --------------
Format: 1.8
Date: Mon, 26 Sep 2011 11:53:28 -0400
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs
Architecture: source
Version: 6.0.24-2ubuntu1.9
Distribution: lucid-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description: 
 libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
 libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
 libtomcat6-java - Servlet and JSP engine -- core libraries
 tomcat6    - Servlet and JSP engine
 tomcat6-admin - Servlet and JSP engine -- admin web applications
 tomcat6-common - Servlet and JSP engine -- common files
 tomcat6-docs - Servlet and JSP engine -- documentation
 tomcat6-examples - Servlet and JSP engine -- example web applications
 tomcat6-user - Servlet and JSP engine -- tools to create user instances
Launchpad-Bugs-Fixed: 843701
Changes: 
 tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low
 .
   * SECURITY UPDATE: information disclosure via log file
     - debian/patches/0015-CVE-2011-2204.patch: fix logging in
       java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
       java/org/apache/catalina/users/MemoryUserDatabase.java,
       java/org/apache/catalina/users/MemoryUser.java.
     - CVE-2011-2204
   * SECURITY UPDATE: file restriction bypass or denial of service via
     untrusted web application.
     - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
       java/org/apache/catalina/connector/LocalStrings.properties,
       java/org/apache/catalina/connector/Request.java,
       java/org/apache/catalina/servlets/DefaultServlet.java,
       java/org/apache/coyote/http11/Http11AprProcessor.java,
       java/org/apache/coyote/http11/LocalStrings.properties,
       java/org/apache/tomcat/util/net/AprEndpoint.java,
       java/org/apache/tomcat/util/net/NioEndpoint.java.
     - CVE-2011-2526
   * SECURITY UPDATE: AJP request spoofing and authentication bypass
     (LP: #843701)
     - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
       bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
       java/org/apache/coyote/ajp/AjpProcessor.java.
     - CVE-2011-3190
   * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
     - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
       java/org/apache/catalina/authenticator/DigestAuthenticator.java,
       java/org/apache/catalina/authenticator/LocalStrings.properties,
       java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
       java/org/apache/catalina/realm/RealmBase.java,
       webapps/docs/config/valve.xml.
     - CVE-2011-1184
Checksums-Sha1: 
 d55e5828575df23ac34335b84f1c5efee8193dfe 2405 tomcat6_6.0.24-2ubuntu1.9.dsc
 ee0c78d1a2f21c47bcee435798e27bb0b07302d7 46590 tomcat6_6.0.24-2ubuntu1.9.debian.tar.gz
Checksums-Sha256: 
 21c426f79775556eb575c5639786f4aafa6224bb8dfd5c57cb7e49a826904943 2405 tomcat6_6.0.24-2ubuntu1.9.dsc
 02229b83da308549ac6c6ce8d1e67371c0dc2ee134026aa23d9041b77ba23aa5 46590 tomcat6_6.0.24-2ubuntu1.9.debian.tar.gz
Files: 
 af3c53021a8b00373e43817319492be6 2405 java optional tomcat6_6.0.24-2ubuntu1.9.dsc
 b81023c2ffd04e7e84ef925df3ba6416 46590 java optional tomcat6_6.0.24-2ubuntu1.9.debian.tar.gz
Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>

More information about the Lucid-changes mailing list