Updated tomcat6 packages that fix multiple security issues are nowavailable for Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5and 6.The Red Hat Security Response Team has rated this update as having Moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set ofcomponents for hosting Java web applications. It is comprised of the ApacheHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the TomcatNative library.It was found that when Tomcat processed a series of HTTP requests in whichat least one request contained either multiple content-length headers, orone content-length header with a chunked transfer-encoding header, Tomcatwould incorrectly handle the request. A remote attacker could use this flawto poison a web cache, perform cross-site scripting (XSS) attacks, orobtain sensitive information from other requests. (CVE-2013-4286)It was discovered that the fix for CVE-2012-3544 did not properly resolve adenial of service flaw in the way Tomcat processed chunk extensions andtrailing headers in chunked requests. A remote attacker could use this flawto send an excessively long request that, when processed by Tomcat, couldconsume network bandwidth, CPU, and memory on the Tomcat server. Note thatchunked transfer encoding is enabled by default. (CVE-2013-4322)It was found that previous fixes in Tomcat 6 to path parameter handlingintroduced a regression that caused Tomcat to not properly disable URLrewriting to track session IDs when the disableURLRewriting option wasenabled. A man-in-the-middle attacker could potentially use this flaw tohijack a user’s session. (CVE-2014-0033)A denial of service flaw was found in the way Apache Commons FileUpload,which is embedded in Tomcat, handled small-sized buffers used byMultipartStream. A remote attacker could use this flaw to create amalformed Content-Type header for a multipart request, causing Tomcat toenter an infinite loop when processing such an incoming request.(CVE-2014-0050)All users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to theseupdated tomcat6 packages, which contain backported patches to correct theseissues. The Red Hat JBoss Web Server process must be restarted for theupdate to take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied, and back up your existing RedHat JBoss Web Server installation (including all applications andconfiguration files).This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/knowledge/articles/11258JBoss Enterprise Web Server v2 EL5

SRPMS:
tomcat6-6.0.37-19_patch_04.ep6.el5.src.rpm
    MD5: 66435d95307e93be9a11ca124d642f34SHA-256: c438e14fed258ad934391552cdd95a0143d72ab74163d46a4e612e57d7634ff5
 
IA-32:
tomcat6-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: ff700d87534b95afbd4cc445186b695bSHA-256: dc50e695b896f141e609ddae9186e3e3c6b8d9e97a6c142d4c4e0ef09dd10922
tomcat6-admin-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 8973b88e417c2cc6489c92bc5cc9b5c6SHA-256: 1488f6146b43181ba2409892f6b22a0ae210922d5b6d3145affe5749d3842658
tomcat6-docs-webapp-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 57250f5aeb827f336437cf2a6f51ca41SHA-256: 7459816f987471c274c0b9ddf33e8c7e2a8fb36613fa5ff4c6fe66a0a6b589ea
tomcat6-el-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: e03f7d7b389c5cd828f0dcbc3ad32699SHA-256: def2e32dec30d3bfd34193adb089e662485b1c3d9053f9db8aec0e38a82d2e09
tomcat6-javadoc-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 21f4a574005d0a7cf03b9ba792b8d2e6SHA-256: f3cec691dce29466003ff0ebc6db74a94828edef19c1f42c92fffd2aae6bf00d
tomcat6-jsp-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: ecb7a11f71fc3992b833ee7c2da35ff6SHA-256: 10a31e5f0ef7264a5fa9e1a2a481e5a3b3a830dc32ef90e10288e3016412622d
tomcat6-lib-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 48735c2def1c751f40e31821518ec0dcSHA-256: ddbe3a3f2a60ab32525f6915fbf30b4cce3b12d19c200831266a621d2e4020df
tomcat6-log4j-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 192b53b22ae405786e6cb4baa14cf912SHA-256: d6b0d7e79a71b940f41816f079d5a640eaadfebb3ff96439ec029fe32a72b6f6
tomcat6-servlet-2.5-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 3b5e2f5ead6fb1c8ddac5c41e0f00dc4SHA-256: fffcf09725805f3767b0656c73cf30cf99f53d2cb8dbb55ef35b9f6e6ac771ea
tomcat6-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 645f741f0efe4d6da4875ae7f83f8d93SHA-256: 1dbbc4185024cc84845669c0fccdde0b0e95f1df16588b66195fd2e45e92f8fd
 
x86_64:
tomcat6-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: ff700d87534b95afbd4cc445186b695bSHA-256: dc50e695b896f141e609ddae9186e3e3c6b8d9e97a6c142d4c4e0ef09dd10922
tomcat6-admin-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 8973b88e417c2cc6489c92bc5cc9b5c6SHA-256: 1488f6146b43181ba2409892f6b22a0ae210922d5b6d3145affe5749d3842658
tomcat6-docs-webapp-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 57250f5aeb827f336437cf2a6f51ca41SHA-256: 7459816f987471c274c0b9ddf33e8c7e2a8fb36613fa5ff4c6fe66a0a6b589ea
tomcat6-el-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: e03f7d7b389c5cd828f0dcbc3ad32699SHA-256: def2e32dec30d3bfd34193adb089e662485b1c3d9053f9db8aec0e38a82d2e09
tomcat6-javadoc-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 21f4a574005d0a7cf03b9ba792b8d2e6SHA-256: f3cec691dce29466003ff0ebc6db74a94828edef19c1f42c92fffd2aae6bf00d
tomcat6-jsp-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: ecb7a11f71fc3992b833ee7c2da35ff6SHA-256: 10a31e5f0ef7264a5fa9e1a2a481e5a3b3a830dc32ef90e10288e3016412622d
tomcat6-lib-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 48735c2def1c751f40e31821518ec0dcSHA-256: ddbe3a3f2a60ab32525f6915fbf30b4cce3b12d19c200831266a621d2e4020df
tomcat6-log4j-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 192b53b22ae405786e6cb4baa14cf912SHA-256: d6b0d7e79a71b940f41816f079d5a640eaadfebb3ff96439ec029fe32a72b6f6
tomcat6-servlet-2.5-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 3b5e2f5ead6fb1c8ddac5c41e0f00dc4SHA-256: fffcf09725805f3767b0656c73cf30cf99f53d2cb8dbb55ef35b9f6e6ac771ea
tomcat6-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm
    MD5: 645f741f0efe4d6da4875ae7f83f8d93SHA-256: 1dbbc4185024cc84845669c0fccdde0b0e95f1df16588b66195fd2e45e92f8fd
 
JBoss Enterprise Web Server v2 EL6

SRPMS:
tomcat6-6.0.37-27_patch_04.ep6.el6.src.rpm
    MD5: f6d28355c682cdcf03c375af4f7ab026SHA-256: ac1242b3453334d8ba1c1ec9cc5feb80981ad45c02809bed37b0159a2cd26731
 
IA-32:
tomcat6-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: c154b12f9fac409d0b28558f24743207SHA-256: 7877ee6e5142a16c46888738b68d38ea1d5d54b96a0981e1b4943f8321427ddf
tomcat6-admin-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 64a1d891adefa5919649046b153dd464SHA-256: 030fb4a0f79ea2a2dfd28324177dbfceddb27e82534ccbe48ef2155ff90eab00
tomcat6-docs-webapp-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 436f1e801dfea4d044dcb7bd25b39eeaSHA-256: d5d70240d0558e2a77c565635d29b534e24a5b29e6db6da588fad94709840c36
tomcat6-el-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: b231914cdaf6001024e4f200f8eb4a0bSHA-256: 354a44d532377d308145e78e5c6697ee5079b53ee70603eda0ff23218fb27215
tomcat6-javadoc-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 0862743affe5854916ae23aed695d3fcSHA-256: db60c2602ee6efcbfbb72a49c552120257ff9cda00a12a0b8faaf8f20dd14a43
tomcat6-jsp-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 1b31c24eee8f9a9a42b2ae097cd3c408SHA-256: c25410e748bf7f9a4af7549767667d7d883776c40f6088454feb9095316f3266
tomcat6-lib-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 14bd4a29cb4f8bb8db01b980968eb872SHA-256: 8311a8d20fd0372aa8521b1b74125eae28491256f5081ac64ead21419d1b786b
tomcat6-log4j-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: a3db978c3e92da410309adc1fd060951SHA-256: 63d91f8818539acf1a20c58b242b9ea218d0f0e2942b13913e6a8a0e94e08008
tomcat6-servlet-2.5-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: d11bb9ec19165c1b2f56018ec9510044SHA-256: d6ccf62626c1cbf26dbc1aa198e65a477d3cf66ecb55ac1a83fd39e1e12a01dc
tomcat6-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 07d96b2df1e4c5b206e503536504c1c6SHA-256: bdacbe26e5659724c491b54de6fc2a65f0bcd567b8b9a39ed828db600d4584d7
 
x86_64:
tomcat6-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: c154b12f9fac409d0b28558f24743207SHA-256: 7877ee6e5142a16c46888738b68d38ea1d5d54b96a0981e1b4943f8321427ddf
tomcat6-admin-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 64a1d891adefa5919649046b153dd464SHA-256: 030fb4a0f79ea2a2dfd28324177dbfceddb27e82534ccbe48ef2155ff90eab00
tomcat6-docs-webapp-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 436f1e801dfea4d044dcb7bd25b39eeaSHA-256: d5d70240d0558e2a77c565635d29b534e24a5b29e6db6da588fad94709840c36
tomcat6-el-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: b231914cdaf6001024e4f200f8eb4a0bSHA-256: 354a44d532377d308145e78e5c6697ee5079b53ee70603eda0ff23218fb27215
tomcat6-javadoc-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 0862743affe5854916ae23aed695d3fcSHA-256: db60c2602ee6efcbfbb72a49c552120257ff9cda00a12a0b8faaf8f20dd14a43
tomcat6-jsp-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 1b31c24eee8f9a9a42b2ae097cd3c408SHA-256: c25410e748bf7f9a4af7549767667d7d883776c40f6088454feb9095316f3266
tomcat6-lib-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 14bd4a29cb4f8bb8db01b980968eb872SHA-256: 8311a8d20fd0372aa8521b1b74125eae28491256f5081ac64ead21419d1b786b
tomcat6-log4j-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: a3db978c3e92da410309adc1fd060951SHA-256: 63d91f8818539acf1a20c58b242b9ea218d0f0e2942b13913e6a8a0e94e08008
tomcat6-servlet-2.5-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: d11bb9ec19165c1b2f56018ec9510044SHA-256: d6ccf62626c1cbf26dbc1aa198e65a477d3cf66ecb55ac1a83fd39e1e12a01dc
tomcat6-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm
    MD5: 07d96b2df1e4c5b206e503536504c1c6SHA-256: bdacbe26e5659724c491b54de6fc2a65f0bcd567b8b9a39ed828db600d4584d7
 
(The unlinked packages above are only available from the Red Hat Network)
1062337 – CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream1069905 – CVE-2013-4322 tomcat: incomplete fix for CVE-2012-35441069919 – CVE-2014-0033 tomcat: session fixation still possible with disableURLRewriting enabled1069921 – CVE-2013-4286 tomcat: multiple content-length header poisoning flaws

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply