Bug 720948 (CVE-2011-2526)
Summary: | CVE-2011-2526 tomcat: security manager restrictions bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | alee, awnuk, cfu, csutherl, djorm, dknox, gary.p.anderson, jdennis, jmagne, jpazdziora, jscotka, luke+redhat, mharmsen, pcheung, security-response-team, tromey, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-23 01:57:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 721086, 721087, 738503, 738504, 738505, 738506, 738507 | ||
Bug Blocks: | 720970, 795277, 810065 |
Description
Jan Lieskovsky
2011-07-13 10:25:02 UTC
Public now via: [1] http://tomcat.apache.org/security-5.html (Apache Tomcat 5.5.34 [not yet released] case), [2] http://tomcat.apache.org/security-6.html (Apache Tomcat 6.0.33 [not yet released] case). Related patches: [3] http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc5.patch (Apache Tomcat 5.5.x case) [4] http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc6.patch (Apache Tomcat 6.0.x case) Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 721087] Created tomcat5 tracking bugs for this issue Affects: fedora-all [bug 721086] This issue affects the versions of the tomcat5 package, as shipped with Fedora release of 14 and 15. Please schedule an update. -- This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 14 and 15. Please schedule an update. fedora updates for both tomcat6 and tomcat5 will begin 14 July. Statement: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This is now fixed upstream: http://svn.apache.org/viewvc?view=revision&revision=1158244 (tomcat5) http://svn.apache.org/viewvc?view=revision&revision=1146703 (tomcat6) Acknowledgements: Red Hat would like to thank the Apache Tomcat project for reporting this issue. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1780 https://rhn.redhat.com/errata/RHSA-2011-1780.html Does this CVE affect the version of Tomcat 5 shipped with RHEL 5? If so is there a RHSA/fix available? (In reply to comment #28) > Does this CVE affect the version of Tomcat 5 shipped with RHEL 5? If so is > there a RHSA/fix available? This CVE does not affect Tomcat 5 as shipped with Red Hat Enterprise Linux 5. The flaw is only present when the HTTP NIO or HTTP APR connector is used. Neither of these connectors ship with Tomcat 5 on Red Hat Enterprise Linux 5. This issue has been addressed in following products: JBoss Enterprise Application Platform 4.3.0 CP10 Via RHSA-2012:0041 https://rhn.redhat.com/errata/RHSA-2012-0041.html This issue has been addressed in following products: JBoss Communications Platform 5.1.3 Via RHSA-2012:0078 https://rhn.redhat.com/errata/RHSA-2012-0078.html This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:0077 https://rhn.redhat.com/errata/RHSA-2012-0077.html This issue has been addressed in following products: JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 Via RHSA-2012:0076 https://rhn.redhat.com/errata/RHSA-2012-0076.html This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:0075 https://rhn.redhat.com/errata/RHSA-2012-0075.html This issue has been addressed in following products: JBEAP 5 for RHEL 6 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 Via RHSA-2012:0074 https://rhn.redhat.com/errata/RHSA-2012-0074.html This issue has been addressed in following products: JBoss Enterprise Portal Platform 4.3 CP07 Via RHSA-2012:0091 https://rhn.redhat.com/errata/RHSA-2012-0091.html This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.2.0 JBoss Enterprise Portal Platform 5.2.0 JBoss Enterprise SOA Platform 5.2.0 Via RHSA-2012:0325 https://rhn.redhat.com/errata/RHSA-2012-0325.html Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)? (In reply to comment #38) > Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)? An erratum for EWS 1.0.2 is in progress. It is currently awaiting QE. This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html |