7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.012 Low
EPSS
Percentile
85.2%
Debian Security Advisory DSA-2401-1 [email protected]
http://www.debian.org/security/ Moritz Muehlenhoff
February 02, 2012 http://www.debian.org/security/faq
Package : tomcat6
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1184 CVE-2011-2204 CVE-2011-2526 CVE-2011-3190
CVE-2011-3375 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063
CVE-2011-5064 CVE-2012-0022
Several vulnerabilities have been found in Tomcat, a servlet and JSP
engine:
CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064
The HTTP Digest Access Authentication implementation performed
insufficient countermeasures against replay attacks.
CVE-2011-2204
In rare setups passwords were written into a logfile.
CVE-2011-2526
Missing input sanisiting in the HTTP APR or HTTP NIO connectors
could lead to denial of service.
CVE-2011-3190
AJP requests could be spoofed in some setups.
CVE-2011-3375
Incorrect request caching could lead to information disclosure.
CVE-2011-4858 CVE-2012-0022
This update adds countermeasures against a collision denial of
service vulnerability in the Java hashtable implementation and
addresses denial of service potentials when processing large
amounts of requests.
Additional information can be
found at http://tomcat.apache.org/security-6.html
For the stable distribution (squeeze), this problem has been fixed in
version 6.0.35-1+squeeze2.
For the unstable distribution (sid), this problem has been fixed in
version 6.0.35-1.
We recommend that you upgrade your tomcat6 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | all | tomcat6 | < 6.0.35-1+squeeze2 | tomcat6_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | tomcat6-admin | < 6.0.35-1+squeeze2 | tomcat6-admin_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | tomcat6-docs | < 6.0.35-1+squeeze2 | tomcat6-docs_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | tomcat6-user | < 6.0.35-1+squeeze2 | tomcat6-user_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | tomcat6-examples | < 6.0.35-1+squeeze2 | tomcat6-examples_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | tomcat6-common | < 6.0.35-1+squeeze2 | tomcat6-common_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | libtomcat6-java | < 6.0.35-1+squeeze2 | libtomcat6-java_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | libservlet2.5-java-doc | < 6.0.35-1+squeeze2 | libservlet2.5-java-doc_6.0.35-1+squeeze2_all.deb |
Debian | 6 | all | libservlet2.5-java | < 6.0.35-1+squeeze2 | libservlet2.5-java_6.0.35-1+squeeze2_all.deb |