OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Support Info (supinfocaldera.com)
Date: Mon Aug 06 2001 - 10:55:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________
                       Caldera International, Inc. Security Advisory

    Subject: Linux - Tomcat security problems
    Advisory number: CSSA-2001-028.0
    Issue date: 2001, August 02
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

       There are several security problems with Jakarta-Tomcat, a Java
       Servlet Engine, shipped as part of OpenLinux 3.1 Server. Several
       vulnerabilities allowed attackers to view files in the system.
       A second problem allowed so-called cross-site scripting, where
       a hostile Web server can feed JavaScript or other code to a web
       browser, making it appear to originate from the server running
       tomcat.

    2. Vulnerable Versions

       System Package
       -----------------------------------------------------------
       OpenLinux 2.3 not vulnerable
       
       OpenLinux eServer 2.3.1 not vulnerable
       and OpenLinux eBuilder
       
       OpenLinux eDesktop 2.4 not vulnerable
       
       OpenLinux Server 3.1 All packages previous to
                                     jakarta-tomcat-3.2.3-3
       
       OpenLinux Workstation 3.1 not vulnerable
       

    3. Solution

       Workaround

         none

       The proper solution is to upgrade to the latest packages.

    4. OpenLinux 2.3

        not vulnerable

    5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

        not vulnerable

    6. OpenLinux eDesktop 2.4

        not vulnerable

    7. OpenLinux 3.1 Server

        7.1 Location of Fixed Packages

           The upgrade packages can be found on Caldera's FTP site at:

           ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

           The corresponding source code package can be found at:

           ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

       7.2 Verification

           b2b4fa902845eb88b81b7778d9625e2f RPMS/jakarta-tomcat-3.2.3-3.i386.rpm
           275881e7034ff900d67631b27f620025 SRPMS/jakarta-tomcat-3.2.3-3.src.rpm
           

       7.3 Installing Fixed Packages

           Upgrade the affected packages with the following commands:

             rpm -Fvh jakarta-tomcat-3.2.3-3.i386.rpm
             

    8. OpenLinux 3.1 Workstation

        not vulnerable

    9. References

       This and other Caldera security resources are located at:

       http://www.caldera.com/support/security/index.html

       This security fix closes Caldera's internal Problem Report 9690,
       9691, 10166, 10247.

    10. Disclaimer

       Caldera International, Inc. is not responsible for the misuse of
       any of the information we provide on this website and/or through our
       security advisories. Our advisories are a service to our customers
       intended to promote secure installation and use of Caldera OpenLinux.
    ______________________________________________________________________________
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7aU3X18sy83A/qfwRAlKBAJ9RE+Zfv5Sfd5nI6ueWqn4BeuWP5gCgjotV
    4Nzvjq1VpIjRyXDKk6ihljE=
    =R1aW
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: announce-unsubscribelists.caldera.com
    For additional commands, e-mail: announce-helplists.caldera.com