tomcat5 (SL5)

By Scientific Linux Team on March 12, 2013

Synopsis: Important: tomcat5 security update
Issue Date: 2013-03-12
CVE Numbers: CVE-2012-5885
CVE-2012-5886
CVE-2012-5887
CVE-2012-3546

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it
was possible to bypass the security constraint checks in the FORM
authenticator by appending “/j_security_check” to the end of a URL. A
remote attacker with an authenticated session on an affected application
could use this flaw to circumvent authorization controls, and thereby
access resources not permitted by the roles associated with their
authenticated session. (CVE-2012-3546)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

Tomcat must be restarted for this update to take effect.

SL5
x86_64
tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-common-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-jasper-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-server-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
tomcat5-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm
i386
tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-common-lib-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-jasper-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-server-lib-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
tomcat5-webapps-5.5.23-0jpp.38.el5_9.i386.rpm

– Scientific Linux Development Team