[Bug 843701] Re: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
Launchpad Bug Tracker
843701 at bugs.launchpad.net
Tue Nov 8 13:03:59 UTC 2011
This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.5
---------------
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low
* SECURITY UPDATE: information disclosure via log file
- debian/patches/0015-CVE-2011-2204.patch: fix logging in
java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
java/org/apache/catalina/users/MemoryUserDatabase.java,
java/org/apache/catalina/users/MemoryUser.java.
- CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/patches/0016-CVE-2011-2526.patch: check canonical name in
java/org/apache/catalina/connector/LocalStrings.properties,
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
(LP: #843701)
- debian/patches/0017-CVE-2011-3190.patch: Properly handle request
bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
java/org/apache/coyote/ajp/AjpProcessor.java.
- CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
java/org/apache/catalina/authenticator/DigestAuthenticator.java,
java/org/apache/catalina/authenticator/LocalStrings.properties,
java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
java/org/apache/catalina/realm/RealmBase.java,
webapps/docs/config/valve.xml.
- CVE-2011-1184
* This package does _not_ contain the changes that were in
6.0.28-2ubuntu1.3 in -proposed.
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Mon, 26 Sep 2011 11:48:20 -0400
** Changed in: tomcat6 (Ubuntu Lucid)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat6 in Ubuntu.
https://bugs.launchpad.net/bugs/843701
Title:
CVE-2011-3190 Apache Tomcat Authentication bypass and information
disclosure
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat5.5/+bug/843701/+subscriptions
More information about the Ubuntu-server-bugs
mailing list