Date: Mon, 6 Aug 2001 09:55:20 -0600
From: Support Info <[email protected]>
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2001-028.0] Linux - Tomcat security problems
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux - Tomcat security problems
Advisory number: CSSA-2001-028.0
Issue date: 2001, August 02
Cross reference:
______________________________________________________________________________
1. Problem Description
There are several security problems with Jakarta-Tomcat, a Java
Servlet Engine, shipped as part of OpenLinux 3.1 Server. Several
vulnerabilities allowed attackers to view files in the system.
A second problem allowed so-called cross-site scripting, where
a hostile Web server can feed JavaScript or other code to a web
browser, making it appear to originate from the server running
tomcat.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 not vulnerable
OpenLinux eServer 2.3.1 not vulnerable
and OpenLinux eBuilder
OpenLinux eDesktop 2.4 not vulnerable
OpenLinux Server 3.1 All packages previous to
jakarta-tomcat-3.2.3-3
OpenLinux Workstation 3.1 not vulnerable
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
not vulnerable
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
not vulnerable
6. OpenLinux eDesktop 2.4
not vulnerable
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
7.2 Verification
b2b4fa902845eb88b81b7778d9625e2f RPMS/jakarta-tomcat-3.2.3-3.i386.rpm
275881e7034ff900d67631b27f620025 SRPMS/jakarta-tomcat-3.2.3-3.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh jakarta-tomcat-3.2.3-3.i386.rpm
8. OpenLinux 3.1 Workstation
not vulnerable
9. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 9690,
9691, 10166, 10247.
10. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7aU3X18sy83A/qfwRAlKBAJ9RE+Zfv5Sfd5nI6ueWqn4BeuWP5gCgjotV
4Nzvjq1VpIjRyXDKk6ihljE=
=R1aW
-----END PGP SIGNATURE-----
