7.256. tomcat6

Updated tomcat6 packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The tomcat6 packages provide Apache Tomcat 6, which is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Bug Fixes

BZ#576540
On Red Hat Enterprise Linux, Apache Tomcat initscripts should be located in the /etc/rc.d/init.d directory. However, the comman initscript was previously located in the /etc/init.d directory due to a mistake in the package specs file. With this update, the specs file has been updated and the conman script is located in the /etc/rc.d/init.d directory along with other initscripts as expected.
BZ#847288
When a web application used its own class loader, a deadlock in Tomcat WebappClassLoader could occur when compiling JSPs due to a synchronization bug. This update fixes the synchronization bug and external class loaders no longer interfere with WebappClassLoader.
BZ#798617
The service status returned an incorrect tomcat6 status when TOMCAT_USER in the /etc/tomcat6/tomcat6.conf file was changed to a user whose UID differed from the user GID due to incorrect logic in retrieving the process details. With this update, the code has been modified and the correct service status is now returned in this scenario.
BZ#785954
When Tomcat attempted to import a non-existing page with JavaScript fragments in the URL parameters, it returned a message that the resource was not available. This update adds HTML filtering to Tomcat and the servlet container now correctly returns the message that the resource is missing in this scenario.
Users of tomcat6 are advised to upgrade to these updated packages, which fix these bugs.
Updated tomcat6 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fixes

CVE-2013-1976
A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root.
CVE-2013-2051
Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.
It was found that the RHSA-2013:0623 update did not correctly fix CVE-2012-5887, a weakness in the Tomcat DIGEST authentication implementation. A remote attacker could use this flaw to perform replay attacks in some circumstances. Additionally, this problem also prevented users from being able to authenticate using DIGEST authentication.
Red Hat would like to thank Simon Fayer of Imperial College London for reporting the CVE-2013-1976 issue.
Users of Tomcat are advised to upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect.
Updated tomcat6 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with the description below.
Apache Tomcat is a servlet container.

Security Fixes

CVE-2012-3546
It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session.
CVE-2012-4534
A flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6.
CVE-2012-5885, CVE-2012-5886, CVE-2012-5887
Multiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances.
Users of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect.