Bugzilla – Bug 706382
VUL-0: CVE-2011-2526: tomcat information leak and DoS
Last modified: 2014-07-17 09:34:40 UTC
Your friendly security team received the following report via mitre. Please respond ASAP. The issue is public. -------8<------- ====================================================== Name: CVE-2011-2526 Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=720948 Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1146005 Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1145694 Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1145571 Reference: CONFIRM: http://svn.apache.org/viewvc?view=revision&revision=1145383 Reference: BID: http://www.securityfocus.com/bid/48667 Reference: CONFIRM: http://tomcat.apache.org/security-7.html Reference: CONFIRM: http://tomcat.apache.org/security-6.html Reference: CONFIRM: http://tomcat.apache.org/security-5.html
please ignore, just adjusting priority
submitted a fix to sles9: N/A - affected files are not in tomcat 5.019 used in sles9 sles10: 14193 sles11: 14194 11.3: 78887 11.4: 78888
This is an autogenerated message for OBS integration: This bug (706382) was mentioned in https://build.opensuse.org/request/show/78887 11.3 / tomcat6 https://build.opensuse.org/request/show/78888 11.4 / tomcat6
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-el-1_0-api, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: openSUSE 11.3 (i586) openSUSE 11.4 (i586)
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SUSE-MANAGER 1.2 (x86_64)
This is an autogenerated message for OBS integration: This bug (706382) was mentioned in https://build.opensuse.org/request/show/81045 Evergreen:11.2 / tomcat6
This is an autogenerated message for OBS integration: This bug (706382) was mentioned in https://build.opensuse.org/request/show/81630 Evergreen:11.1 / tomcat6
done already
This is an autogenerated message for OBS integration: This bug (706382) was mentioned in https://build.opensuse.org/request/show/88690 Evergreen:11.1 / tomcat6