Debian Security Advisory
DSA-2401-1 tomcat6 -- several vulnerabilities
- Date Reported:
- 02 Feb 2012
- Affected Packages:
- tomcat6
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-1184, CVE-2011-2204, CVE-2011-2526, CVE-2011-3190, CVE-2011-3375, CVE-2011-4858, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064, CVE-2012-0022.
- More information:
-
Several vulnerabilities have been found in Tomcat, a servlet and JSP engine:
- CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064
The HTTP Digest Access Authentication implementation performed insufficient countermeasures against replay attacks.
- CVE-2011-2204
In rare setups passwords were written into a logfile.
- CVE-2011-2526
Missing input sanitising in the HTTP APR or HTTP NIO connectors could lead to denial of service.
- CVE-2011-3190
AJP requests could be spoofed in some setups.
- CVE-2011-3375
Incorrect request caching could lead to information disclosure.
- CVE-2011-4858 CVE-2012-0022
This update adds countermeasures against a collision denial of service vulnerability in the Java hashtable implementation and addresses denial of service potentials when processing large amounts of requests.
Additional information can be found at http://tomcat.apache.org/security-6.html
For the stable distribution (squeeze), this problem has been fixed in version 6.0.35-1+squeeze2.
For the unstable distribution (sid), this problem has been fixed in version 6.0.35-1.
We recommend that you upgrade your tomcat6 packages.
- CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064