Updated tomcat7 packages that fix three security issues are now availablefor Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5 and 6.The Red Hat Security Response Team has rated this update as having Moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set ofcomponents for hosting Java web applications. It is comprised of the ApacheHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the TomcatNative library.It was found that when Tomcat processed a series of HTTP requests in whichat least one request contained either multiple content-length headers, orone content-length header with a chunked transfer-encoding header, Tomcatwould incorrectly handle the request. A remote attacker could use this flawto poison a web cache, perform cross-site scripting (XSS) attacks, orobtain sensitive information from other requests. (CVE-2013-4286)It was discovered that the fix for CVE-2012-3544 did not properly resolve adenial of service flaw in the way Tomcat processed chunk extensions andtrailing headers in chunked requests. A remote attacker could use this flawto send an excessively long request that, when processed by Tomcat, couldconsume network bandwidth, CPU, and memory on the Tomcat server. Note thatchunked transfer encoding is enabled by default. (CVE-2013-4322)A denial of service flaw was found in the way Apache Commons FileUpload,which is embedded in Tomcat, handled small-sized buffers used byMultipartStream. A remote attacker could use this flaw to create amalformed Content-Type header for a multipart request, causing Tomcat toenter an infinite loop when processing such an incoming request.(CVE-2014-0050)All users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to theseupdated tomcat7 packages, which contain backported patches to correct theseissues. The Red Hat JBoss Web Server process must be restarted for theupdate to take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied, and back up your existing RedHat JBoss Web Server installation (including all applications andconfiguration files).This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/knowledge/articles/11258JBoss Enterprise Web Server v2 EL5

SRPMS:
tomcat7-7.0.40-13_patch_02.ep6.el5.src.rpm
    MD5: 5dca9464657ff6c02bf72019fe718cc5SHA-256: 51beee717f605d59a28de5726fd4730d2d75cd7788552a422f447fe73ba7e599
 
IA-32:
tomcat7-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 93d9cb6974193d67b958f06d6951d0e9SHA-256: fadba8d391077c11b2089d294279b503fbc6b156c608656a996b6880c407dc34
tomcat7-admin-webapps-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: a46ba118e91378cad68e0523fbdd13c0SHA-256: de18b41526dba974673846551e6a5ea08aead774cab1885eaa5b32c1212be862
tomcat7-docs-webapp-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: bf0dccd46fc22aa9309a326b93d48062SHA-256: e7360fcbf75d741581ea7a35646474fd635076e74cb4534a6cc0061888ac09b7
tomcat7-el-2.2-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 92d1669ef487c0bab6c0244c72c7d77eSHA-256: 493b12e0516127cc9b77632e0529e0cc17a1de2a0cdd8779618d76970808ac9d
tomcat7-javadoc-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 3a475ed5eae815e0a1e04c26116fc955SHA-256: cbef053811073e6493832d1fb5ce020521921eb9e38d7ecc3a0f76acfab48965
tomcat7-jsp-2.2-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 20c7fb8a3442ae8295899f495c630118SHA-256: 7ccfe2ce00d7aff905e6c82ef336c236ab5198abd3153ee52d83853925d93405
tomcat7-lib-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 2c6ea75448dfe70abb1a766d47fef0b0SHA-256: 52d481be23ef8ec34e19ec9b270599e1297f7b763253ca23178bef07397528e8
tomcat7-log4j-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 3c4dac6126242595318bd833c9da9bafSHA-256: 54e5768b136d74492e61d078bc36922160d4b902ed93cc8dd9050c6401938164
tomcat7-servlet-3.0-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: c8cf551121b6050549de3d6c5a4f70d6SHA-256: 0b9cbd0bb405abea18bfc340ee01a366c43b0d513cbe7ee4c900202850a87f7c
tomcat7-webapps-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 85919a5184d8d65f691847ba3ec3483cSHA-256: 72d2d0d7c15e66397b576e99d3cf1b23707fa6a73296fe0034736df39127bb6f
 
x86_64:
tomcat7-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 93d9cb6974193d67b958f06d6951d0e9SHA-256: fadba8d391077c11b2089d294279b503fbc6b156c608656a996b6880c407dc34
tomcat7-admin-webapps-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: a46ba118e91378cad68e0523fbdd13c0SHA-256: de18b41526dba974673846551e6a5ea08aead774cab1885eaa5b32c1212be862
tomcat7-docs-webapp-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: bf0dccd46fc22aa9309a326b93d48062SHA-256: e7360fcbf75d741581ea7a35646474fd635076e74cb4534a6cc0061888ac09b7
tomcat7-el-2.2-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 92d1669ef487c0bab6c0244c72c7d77eSHA-256: 493b12e0516127cc9b77632e0529e0cc17a1de2a0cdd8779618d76970808ac9d
tomcat7-javadoc-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 3a475ed5eae815e0a1e04c26116fc955SHA-256: cbef053811073e6493832d1fb5ce020521921eb9e38d7ecc3a0f76acfab48965
tomcat7-jsp-2.2-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 20c7fb8a3442ae8295899f495c630118SHA-256: 7ccfe2ce00d7aff905e6c82ef336c236ab5198abd3153ee52d83853925d93405
tomcat7-lib-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 2c6ea75448dfe70abb1a766d47fef0b0SHA-256: 52d481be23ef8ec34e19ec9b270599e1297f7b763253ca23178bef07397528e8
tomcat7-log4j-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 3c4dac6126242595318bd833c9da9bafSHA-256: 54e5768b136d74492e61d078bc36922160d4b902ed93cc8dd9050c6401938164
tomcat7-servlet-3.0-api-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: c8cf551121b6050549de3d6c5a4f70d6SHA-256: 0b9cbd0bb405abea18bfc340ee01a366c43b0d513cbe7ee4c900202850a87f7c
tomcat7-webapps-7.0.40-13_patch_02.ep6.el5.noarch.rpm
    MD5: 85919a5184d8d65f691847ba3ec3483cSHA-256: 72d2d0d7c15e66397b576e99d3cf1b23707fa6a73296fe0034736df39127bb6f
 
JBoss Enterprise Web Server v2 EL6

SRPMS:
tomcat7-7.0.40-9_patch_02.ep6.el6.src.rpm
    MD5: 97e6189bad6808ba29471544301cdc5dSHA-256: 7eae405b8db23587305c3210ad433ce32db6670935fe7869b2328d0b4ba945f9
 
IA-32:
tomcat7-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 6ffe79fd0726d89dc0b6c67bcdde0da8SHA-256: bd27291a2a132432cf20bed499ea8dddad8cc714d86e9a17d256f79ae184b31e
tomcat7-admin-webapps-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 05c857710f081b394312497c4d006503SHA-256: 817f916aa3a3c5031922ee0a779282d94bb567203ffff5706664a051ea45db4d
tomcat7-docs-webapp-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 879d8df9dffdac7915dc93f52d34cb2dSHA-256: b98c0669caa51eb75fad25f127419beb62a2b004e06a5d9e97c103d25c738449
tomcat7-el-2.2-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 5ce8a49d12bd486b9c570ddbc3a21d0aSHA-256: 33e527de4c624a18c0ba8b028f16e554ede85ab18431c767d01882c1e6c9eb24
tomcat7-javadoc-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: bcb84678a4ccc208dfcdb0a90f46988dSHA-256: 8f3ed988416d4a145ba5b3759b5adfc843c6ff2c591eeb6c94116ca1d25b410b
tomcat7-jsp-2.2-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 71a04b0f11653fd19d433aa8b42aeb74SHA-256: a16e4e9d59bb09add8cb535cadb3c41e8f03ecf668ababc51313d6deca581e9c
tomcat7-lib-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 71df495d8d68ed3f2d0448ccae78fb01SHA-256: c68ca3d088194413595b659199b83f17b4f679045328c22ab0f9ae371b9365d9
tomcat7-log4j-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 5e85f0cc70faee55430eb8493945810fSHA-256: f72195d691300e6c41fe270515f9d9f28e391182eb620ecc6e93a573e161f6bc
tomcat7-servlet-3.0-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: aaec70c9b1579d6cabbbe84e233b621dSHA-256: ae1939b6f542da3240ee560da1ddddafd0c6faf8f7fff132825d753a323cb522
tomcat7-webapps-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 5098f004799ca11dc0bad8f324c9155cSHA-256: 4b5a2f25de577bec8003961ae9ad3216fe1775c9e6fddf753b16a3d00ee2351c
 
x86_64:
tomcat7-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 6ffe79fd0726d89dc0b6c67bcdde0da8SHA-256: bd27291a2a132432cf20bed499ea8dddad8cc714d86e9a17d256f79ae184b31e
tomcat7-admin-webapps-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 05c857710f081b394312497c4d006503SHA-256: 817f916aa3a3c5031922ee0a779282d94bb567203ffff5706664a051ea45db4d
tomcat7-docs-webapp-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 879d8df9dffdac7915dc93f52d34cb2dSHA-256: b98c0669caa51eb75fad25f127419beb62a2b004e06a5d9e97c103d25c738449
tomcat7-el-2.2-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 5ce8a49d12bd486b9c570ddbc3a21d0aSHA-256: 33e527de4c624a18c0ba8b028f16e554ede85ab18431c767d01882c1e6c9eb24
tomcat7-javadoc-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: bcb84678a4ccc208dfcdb0a90f46988dSHA-256: 8f3ed988416d4a145ba5b3759b5adfc843c6ff2c591eeb6c94116ca1d25b410b
tomcat7-jsp-2.2-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 71a04b0f11653fd19d433aa8b42aeb74SHA-256: a16e4e9d59bb09add8cb535cadb3c41e8f03ecf668ababc51313d6deca581e9c
tomcat7-lib-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 71df495d8d68ed3f2d0448ccae78fb01SHA-256: c68ca3d088194413595b659199b83f17b4f679045328c22ab0f9ae371b9365d9
tomcat7-log4j-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 5e85f0cc70faee55430eb8493945810fSHA-256: f72195d691300e6c41fe270515f9d9f28e391182eb620ecc6e93a573e161f6bc
tomcat7-servlet-3.0-api-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: aaec70c9b1579d6cabbbe84e233b621dSHA-256: ae1939b6f542da3240ee560da1ddddafd0c6faf8f7fff132825d753a323cb522
tomcat7-webapps-7.0.40-9_patch_02.ep6.el6.noarch.rpm
    MD5: 5098f004799ca11dc0bad8f324c9155cSHA-256: 4b5a2f25de577bec8003961ae9ad3216fe1775c9e6fddf753b16a3d00ee2351c
 
(The unlinked packages above are only available from the Red Hat Network)
1062337 – CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream1069905 – CVE-2013-4322 tomcat: incomplete fix for CVE-2012-35441069921 – CVE-2013-4286 tomcat: multiple content-length header poisoning flaws

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply