The RHSA-2009:1164 Tomcat security update for Red Hat Enterprise Linux 5 did not, unlike the erratum text stated, provide a fix for CVE-2009-0781, a cross-site scripting (XSS) flaw in the examples calendar application. A missing patch is considered a security regression, and requires a new CVE name. This regression is assigned CVE-2009-2696. It fixes the same issue as CVE-2009-0781 and is specific to Red Hat Enterprise Linux 5.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0580 https://rhn.redhat.com/errata/RHSA-2010-0580.html