Bugzilla – Bug 706404
VUL-0: CVE-2011-2204: tomcat user password information leak
Last modified: 2014-07-17 09:33:47 UTC
Your friendly security team received the following report via mitre. Please respond ASAP. The issue is public. -------8<------- ====================================================== Name: CVE-2011-2204 {Novell Bug: 702289} Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=717013 Reference: XF: http://xforce.iss.net/xforce/xfdb/68238 Reference: BID: http://www.securityfocus.com/bid/48456 Reference: OSVDB: http://www.osvdb.org/73429 Reference: CONFIRM: http://tomcat.apache.org/security-7.html Reference: CONFIRM: http://tomcat.apache.org/security-6.html Reference: CONFIRM: http://tomcat.apache.org/security-5.html Reference: SECTRACK: http://securitytracker.com/id?1025712 Reference: SECUNIA: http://secunia.com/advisories/44981
The SWAMPID for this issue is 42525. This issue was rated as moderate. Please submit fixed packages until 2011-08-19. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
please ignore, just adjusting priority
submitted a fix to sles9: 14192 sles10: 14193 sles11: 14194 11.3: 78887 11.4: 78888
This is an autogenerated message for OBS integration: This bug (706404) was mentioned in https://build.opensuse.org/request/show/78887 11.3 / tomcat6 https://build.opensuse.org/request/show/78888 11.4 / tomcat6
michal, you submitted sle11 twice 14193 is a sle11 sp1 submit, not a sle10 one.
sles9 smells too minor.
sles9 is too minor. i found sle10 in michals home: directory, going to submit that.
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-el-1_0-api, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: openSUSE 11.3 (i586) openSUSE 11.4 (i586)
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SUSE-MANAGER 1.2 (x86_64)
released
This is an autogenerated message for OBS integration: This bug (706404) was mentioned in https://build.opensuse.org/request/show/81045 Evergreen:11.2 / tomcat6
This is an autogenerated message for OBS integration: This bug (706404) was mentioned in https://build.opensuse.org/request/show/81630 Evergreen:11.1 / tomcat6
This is an autogenerated message for OBS integration: This bug (706404) was mentioned in https://build.opensuse.org/request/show/88690 Evergreen:11.1 / tomcat6