USN-899-1: Tomcat vulnerabilities

view full story

http://www.ubuntu.com – Referenced CVEs:  CVE-2009-2693, CVE-2009-2901, CVE-2009-2902 Description:  =========================================================== Ubuntu Security Notice USN-899-1 February 11, 2010 tomcat6 vulnerabilities CVE-2009-2693, CVE-2009-2901, CVE-2009-2902 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libtomcat6-java 6.0.18-0ubuntu3.3 Ubuntu 9.04: libtomcat6-java 6.0.18-0ubuntu6.2 Ubuntu 9.10: libtomcat6-java 6.0.20-2ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Tomcat did not correctly validate WAR filenames or paths when deploying. A remote attacker could send a specially crafted WAR file to be deployed and cause arbitrary files and directories to be created, overwritten, or deleted. (Distributions)