Bug 612799 (CVE-2010-2227)
| Summary: | CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Transfer-Encoding' header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | alee, awnuk, cfu, devrim, djorm, dknox, dpospisi, dwalluck, eric, extras-orphan, jlieskov, jmagne, jsherril, manderse, mharmsen, mjc, mschoene, myarboro, pcheung, pjha, rafaels, rruss, skakar, tao, theute, tromey |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat5 5.5.30, tomcat6 6.0.28 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-16 18:36:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 613004, 613005, 613944, 613945, 613946, 613948, 614422, 614424, 616750, 616751, 617501, 632313, 632314 | ||
| Bug Blocks: | |||
|
Description
Vincent Danen
2010-07-09 04:17:46 UTC
Tomcat 5.5.30 is available to fix this flaw: http://tomcat.apache.org/security-5.html And the svn revision (patches) to correct it: http://svn.apache.org/viewvc?view=revision&revision=959428 This flaw affects the version of the tomcat5 package, as shipped with Red Hat Enterprise Linux 5. This flaw affects the version of the tomcat5 package, as shipped with Red Hat Application Server v2. This flaw affects the versions of the tomcat5 and tomcat6 packages, as shipped with JBoss Enterprise Web Server 1.0.1 for Red Hat Enterprise Linux 4 and 5. This flaw affects the version of the tomcat5 package, as shipped with Red Hat Developer Suite 3. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0580 https://rhn.redhat.com/errata/RHSA-2010-0580.html This issue has been addressed in following products: RHAPS Version 2 for RHEL 4 Via RHSA-2010:0582 https://rhn.redhat.com/errata/RHSA-2010-0582.html This issue has been addressed in following products: Red Hat Developer Suite V.3 Via RHSA-2010:0583 https://rhn.redhat.com/errata/RHSA-2010-0583.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 JBEAP 4.3.0 for RHEL 4 JBEAP 4.2.0 for RHEL 5 JBEAP 4.3.0 for RHEL 5 Via RHSA-2010:0584 https://rhn.redhat.com/errata/RHSA-2010-0584.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 4 JBEWS 1.0 for RHEL 5 Via RHSA-2010:0581 https://rhn.redhat.com/errata/RHSA-2010-0581.html Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 632313] Created tomcat5 tracking bugs for this issue Affects: fedora-all [bug 632314] This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0693 https://rhn.redhat.com/errata/RHSA-2010-0693.html This issue has been addressed in an asynchronous patch to JBoss Enterprise Application Platform 5.0.1, available here (login required): https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=3683&product=appplatform&version=5.0.1&downloadType=securityPatches It is also fixed in all subsequent versions of JBoss Enterprise Application Platform 5. |