Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 30069 invoked from network); 24 Jan 2010 21:55:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Jan 2010 21:55:03 -0000 Received: (qmail 67989 invoked by uid 500); 24 Jan 2010 21:54:57 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 67827 invoked by uid 500); 24 Jan 2010 21:54:57 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 67634 invoked by uid 99); 24 Jan 2010 21:54:56 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Jan 2010 21:54:56 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [81.103.221.47] (HELO mtaout01-winn.ispmail.ntl.com) (81.103.221.47) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Jan 2010 21:54:47 +0000 Received: from know-smtpout-1.server.virginmedia.net ([62.254.123.1]) by mtaout01-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20100124215424.DPGI4204.mtaout01-winn.ispmail.ntl.com@know-smtpout-1.server.virginmedia.net>; Sun, 24 Jan 2010 21:54:24 +0000 Received: from [69.57.230.185] (helo=s2-laptop.local) by know-smtpout-1.server.virginmedia.net with esmtpa (Exim 4.63) (envelope-from ) id 1NZAPY-0006Q7-6q; Sun, 24 Jan 2010 21:54:24 +0000 Message-ID: <4B5CC17B.4030708@apache.org> Date: Sun, 24 Jan 2010 16:54:03 -0500 From: Mark Thomas User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: Tomcat Users List , Tomcat Developers List , announce@tomcat.apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, announce@apache.org Subject: [SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration X-Enigmail-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Cloudmark-Analysis: v=1.1 cv=W3tOLUehizD4qj6VhtReFuw5MKb8d+XqjIxlDsIazEA= c=1 sm=0 a=OBjz_cd-f_MA:10 a=mV9VRH-2AAAA:8 a=xe8BsctaAAAA:8 a=pTqWsdXVPq1lkC3TcNQA:9 a=bHg_OGuWtGxCMmHx8p2AwgSYIu4A:4 a=gb2R2Bxd7cYA:10 a=5L4ffvCfwDGM_wwj:21 a=9-vXGqnoK4dUmv8V:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815&view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650&view=rev Note: the patches also address CVE-2009-2901 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: A WAR file that contains the following entry will overwrite the standard Windows start-up script when deployed on a default Tomcat installation: ../../bin/catalina.bat Credit: This issue was reported to the Apache Tomcat security team by Marc Schoenefeld of the Red Hat Security Response Team References: [1] http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI 6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+ ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1 Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL 7iN004jxhnUxQc8Fgwj4 =/B5h -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org