- --------------------------------------------------------------------------
Debian Security Advisory DSA 225-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 9th, 2002 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : tomcat4
Vulnerability : source disclosure
Problem-Type : remote
Debian-specific: no
CVE Id : CAN-2002-1394
A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases, which allows to use a specially crafted URL to return
the unprocessed source of a JSP page, or, under special circumstances,
a static resource which would otherwise have been protected by a
security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
identified as CAN-2002-1148.
For the current stable distribution (woody) this problem has been
fixed in version 4.0.3-3woody2.
The old stable distribution (potato) does not contain tomcat packages.
For the unstable distribution (sid) this problem does not exist in the
current version 4.1.16-1.
We recommend that you upgrade your tomcat packages.
Installation Instructions
- -------------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.dsc
Size/MD5 checksum: 708 0911f7c03a0ab71133fbe95bf45d0d20
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.diff.gz
Size/MD5 checksum: 15881 de9f6f0fb39374bfe4ece1ef4824d942
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz
Size/MD5 checksum: 1588186 2b2e0d859f7152e5225633933e6585d6
Architecture independent components:
http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody2_all.deb
Size/MD5 checksum: 1134258 680c67daebdd36eb879ce593e6362f3b
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody2_all.deb
Size/MD5 checksum: 1167502 34f71826d8441f967e3da0ee4ab9a1be
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2_all.deb
Size/MD5 checksum: 126444 e7dbc07086a7e349474bff877342cb6d
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>;
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
