Test Kennung:	1.3.6.1.4.1.25623.1.0.64284
Kategorie:	Mandrake Local Security Checks
Titel:	Mandrake Security Advisory MDVSA-2009:138 (tomcat5)
Zusammenfassung:	The remote host is missing an update to tomcat5;announced via advisory MDVSA-2009:138.
Beschreibung:	Summary: The remote host is missing an update to tomcat5 announced via advisory MDVSA-2009:138. Vulnerability Insight: Multiple security vulnerabilities has been identified and fixed in tomcat5: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request (CVE-2008-5515). Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header (CVE-2009-0033). Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter (CVE-2009-0580). The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective (CVE-2009-0781). Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application (CVE-2009-0783). The updated packages have been patched to prevent this. Additionally Apache Tomcat has been upgraded to the latest 5.5.27 version for 2009.0. Affected: 2009.0, 2009.1 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2008-5515 20090608 [SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability http://www.securityfocus.com/archive/1/504170/100/0/threaded 20090610 [SECURITY] UPDATED CVE-2008-5515 RequestDispatcher directory traversal vulnerability http://www.securityfocus.com/archive/1/504202/100/0/threaded 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components http://www.securityfocus.com/archive/1/507985/100/0/threaded 263529 http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 35263 http://www.securityfocus.com/bid/35263 35393 http://secunia.com/advisories/35393 35685 http://secunia.com/advisories/35685 35788 http://secunia.com/advisories/35788 37460 http://secunia.com/advisories/37460 39317 http://secunia.com/advisories/39317 42368 http://secunia.com/advisories/42368 44183 http://secunia.com/advisories/44183 ADV-2009-1520 http://www.vupen.com/english/advisories/2009/1520 ADV-2009-1535 http://www.vupen.com/english/advisories/2009/1535 ADV-2009-1856 http://www.vupen.com/english/advisories/2009/1856 ADV-2009-3316 http://www.vupen.com/english/advisories/2009/3316 ADV-2010-3056 http://www.vupen.com/english/advisories/2010/3056 APPLE-SA-2010-03-29-1 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html DSA-2207 http://www.debian.org/security/2011/dsa-2207 FEDORA-2009-11352 https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html FEDORA-2009-11356 https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html FEDORA-2009-11374 https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html HPSBMA02535 http://marc.info/?l=bugtraq&m=127420533226623&w=2 HPSBUX02579 http://marc.info/?l=bugtraq&m=129070310906557&w=2 HPSBUX02860 http://marc.info/?l=bugtraq&m=136485229118404&w=2 JVN#63832775 http://jvn.jp/en/jp/JVN63832775/index.html MDVSA-2009:136 http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 MDVSA-2009:138 http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 MDVSA-2010:176 http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 SSRT100029 SSRT100203 SSRT101146 SUSE-SR:2009:012 http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html SUSE-SR:2010:008 http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200203 svn commit: r1873527 [22/30] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200213 svn commit: r1873980 [25/34] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E http://support.apple.com/kb/HT4077 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html http://www.vmware.com/security/advisories/VMSA-2009-0016.html oval:org.mitre.oval:def:10422 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422 oval:org.mitre.oval:def:19452 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452 oval:org.mitre.oval:def:6445 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445 Common Vulnerability Exposure (CVE) ID: CVE-2009-0033 1022331 http://securitytracker.com/id?1022331 20090603 [SECURITY] CVE-2009-0033 Apache Tomcat DoS when using Java AJP connector http://www.securityfocus.com/archive/1/504044/100/0/threaded 35193 http://www.securityfocus.com/bid/35193 35326 http://secunia.com/advisories/35326 35344 http://secunia.com/advisories/35344 ADV-2009-1496 http://www.vupen.com/english/advisories/2009/1496 HPSBOV02762 http://marc.info/?l=bugtraq&m=133469267822771&w=2 JVN#87272440 http://jvn.jp/en/jp/JVN87272440/index.html SSRT100825 http://svn.apache.org/viewvc?rev=742915&view=rev http://svn.apache.org/viewvc?rev=781362&view=rev oval:org.mitre.oval:def:10231 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10231 oval:org.mitre.oval:def:19110 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19110 oval:org.mitre.oval:def:5739 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5739 tomcat-ajp-dos(50928) https://exchange.xforce.ibmcloud.com/vulnerabilities/50928 Common Vulnerability Exposure (CVE) ID: CVE-2009-0580 1022332 http://securitytracker.com/id?1022332 20090603 [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication http://www.securityfocus.com/archive/1/504045/100/0/threaded 20090604 Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication http://www.securityfocus.com/archive/1/504108/100/0/threaded 20090605 [SECURITY] CVE-2009-0580 UPDATED Apache Tomcat User enumeration vulnerability with FORM authentication http://www.securityfocus.com/archive/1/504125/100/0/threaded 35196 http://www.securityfocus.com/bid/35196 http://svn.apache.org/viewvc?rev=747840&view=rev http://svn.apache.org/viewvc?rev=781379&view=rev http://svn.apache.org/viewvc?rev=781382&view=rev oval:org.mitre.oval:def:18915 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915 oval:org.mitre.oval:def:6628 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628 oval:org.mitre.oval:def:9101 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101 tomcat-jsecuritycheck-info-disclosure(50930) https://exchange.xforce.ibmcloud.com/vulnerabilities/50930 Common Vulnerability Exposure (CVE) ID: CVE-2009-0781 20090306 [SECURITY] CVE-2009-0781 XSS in Apache Tomcat examples web application http://www.securityfocus.com/archive/1/501538/100/0/threaded oval:org.mitre.oval:def:11041 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11041 oval:org.mitre.oval:def:19345 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19345 oval:org.mitre.oval:def:6564 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6564 tomcat-cal2-xss(49213) https://exchange.xforce.ibmcloud.com/vulnerabilities/49213 Common Vulnerability Exposure (CVE) ID: CVE-2009-0783 1022336 http://www.securitytracker.com/id?1022336 20090604 [SECURITY] CVE-2009-0783 Apache Tomcat Information disclosure http://www.securityfocus.com/archive/1/504090/100/0/threaded 35416 http://www.securityfocus.com/bid/35416 http://svn.apache.org/viewvc?rev=652592&view=rev http://svn.apache.org/viewvc?rev=681156&view=rev http://svn.apache.org/viewvc?rev=739522&view=rev http://svn.apache.org/viewvc?rev=781542&view=rev http://svn.apache.org/viewvc?rev=781708&view=rev https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 oval:org.mitre.oval:def:10716 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716 oval:org.mitre.oval:def:18913 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913 oval:org.mitre.oval:def:6450 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450 tomcat-xml-information-disclosure(51195) https://exchange.xforce.ibmcloud.com/vulnerabilities/51195
Copyright	Copyright (C) 2009 E-Soft Inc.

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.