Bug#648038: tomcat6: CVE-2011-1184 and CVE-2011-2526 fixes
Marc Deslauriers
marc.deslauriers at ubuntu.com
Tue Nov 8 14:02:15 UTC 2011
Package: tomcat6
Version: 6.0.32-6
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
*** /tmp/tmpibvEX2
In Ubuntu, the attached patch was applied to achieve the following:
Fixes two security issues (CVE-2011-1184 and CVE-2011-2526)
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/patches/0014-CVE-2011-1184.patch: add new nonce options in
java/org/apache/catalina/authenticator/DigestAuthenticator.java,
java/org/apache/catalina/authenticator/LocalStrings.properties,
java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
java/org/apache/catalina/realm/RealmBase.java,
webapps/docs/config/valve.xml.
- CVE-2011-1184
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/patches/0015-CVE-2011-2526.patch: check canonical name in
java/org/apache/catalina/connector/LocalStrings.properties,
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2011-2526
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers oneiric-updates
APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric-proposed'), (500, 'oneiric')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-13-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmpBmBYKQ
Type: text/x-diff
Size: 40565 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20111108/97d199a1/attachment-0001.diff>
More information about the pkg-java-maintainers
mailing list