Mandriva Linux Security Advisory 2015-053 - Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote attackers to cause a denial of service via a malformed chunk size in chunked transfer coding of a request during the streaming of data. java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity issue. Various other issues have also been addressed.
fe7dd525200711ca8beef5888a4d5fba2a1e6a655e7bc8d56fb1e925244aad4b
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:053
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : tomcat6
Date : March 3, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated tomcat6 packages fix security vulnerabilities:
Integer overflow in the parseChunkHeader function in
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in
Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote
attackers to cause a denial of service (resource consumption) via a
malformed chunk size in chunked transfer coding of a request during
the streaming of data (CVE-2014-0075).
java/org/apache/catalina/servlets/DefaultServlet.java in the default
servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not
properly restrict XSLT stylesheets, which allows remote attackers
to bypass security-manager restrictions and read arbitrary files
via a crafted web application that provides an XML external entity
declaration in conjunction with an entity reference, related to an
XML External Entity (XXE) issue (CVE-2014-0096).
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in
Apache Tomcat before 6.0.40 and 7.x before 7.0.53, when operated
behind a reverse proxy, allows remote attackers to conduct HTTP
request smuggling attacks via a crafted Content-Length HTTP header
(CVE-2014-0099).
Apache Tomcat before 6.0.40 and 7.x before 7.0.54 does not properly
constrain the class loader that accesses the XML parser used with
an XSLT stylesheet, which allows remote attackers to read arbitrary
files via a crafted web application that provides an XML external
entity declaration in conjunction with an entity reference, related
to an XML External Entity (XXE) issue, or read files associated with
different web applications on a single Tomcat instance via a crafted
web application (CVE-2014-0119).
In Apache Tomcat 6.x before 6.0.55, it was possible to craft a
malformed chunk as part of a chunked request that caused Tomcat to
read part of the request body as a new request (CVE-2014-0227).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
http://advisories.mageia.org/MGASA-2014-0268.html
http://advisories.mageia.org/MGASA-2015-0081.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
1e8a7ceba7befde2cc00e4692edbb2c4 mbs1/x86_64/tomcat6-6.0.43-1.mbs1.noarch.rpm
06f517754e9d043a05a465bfbc9511d9 mbs1/x86_64/tomcat6-admin-webapps-6.0.43-1.mbs1.noarch.rpm
12662943e4b7474eaeb884414c1542a3 mbs1/x86_64/tomcat6-docs-webapp-6.0.43-1.mbs1.noarch.rpm
0e93126df244648f82045ef4380d4680 mbs1/x86_64/tomcat6-el-2.1-api-6.0.43-1.mbs1.noarch.rpm
f9856715fa849af74d5a4a6893111572 mbs1/x86_64/tomcat6-javadoc-6.0.43-1.mbs1.noarch.rpm
df7e1851bec9805d843197db0f8fda41 mbs1/x86_64/tomcat6-jsp-2.1-api-6.0.43-1.mbs1.noarch.rpm
ed5b6f2cd6884b92613997b6dfd77cb7 mbs1/x86_64/tomcat6-lib-6.0.43-1.mbs1.noarch.rpm
a273b8f736fd13fb066a6d7052eea925 mbs1/x86_64/tomcat6-servlet-2.5-api-6.0.43-1.mbs1.noarch.rpm
127d1d1ecf7b6be75ac9f306f66f08fd mbs1/x86_64/tomcat6-systemv-6.0.43-1.mbs1.noarch.rpm
955d38f8c9dade3438dd254fe1778075 mbs1/x86_64/tomcat6-webapps-6.0.43-1.mbs1.noarch.rpm
816110f95d3ee2f6347c9c057695d6d0 mbs1/SRPMS/tomcat6-6.0.43-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFU9XyKmqjQ0CJFipgRAvukAKCI1DXuj5eJr1SVaNIoXhz9PUilpQCg0l4c
77X/s+2Ee3FYUp9lZWBmLRg=
=pm31
-----END PGP SIGNATURE-----