This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.5 --------------- tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low
* SECURITY UPDATE: information disclosure via log file - debian/patches/0015-CVE-2011-2204.patch: fix logging in java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java, java/org/apache/catalina/users/MemoryUserDatabase.java, java/org/apache/catalina/users/MemoryUser.java. - CVE-2011-2204 * SECURITY UPDATE: file restriction bypass or denial of service via untrusted web application. - debian/patches/0016-CVE-2011-2526.patch: check canonical name in java/org/apache/catalina/connector/LocalStrings.properties, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2011-2526 * SECURITY UPDATE: AJP request spoofing and authentication bypass (LP: #843701) - debian/patches/0017-CVE-2011-3190.patch: Properly handle request bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java. - CVE-2011-3190 * SECURITY UPDATE: HTTP DIGEST authentication weaknesses - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in java/org/apache/catalina/authenticator/DigestAuthenticator.java, java/org/apache/catalina/authenticator/LocalStrings.properties, java/org/apache/catalina/authenticator/mbeans-descriptors.xml, java/org/apache/catalina/realm/RealmBase.java, webapps/docs/config/valve.xml. - CVE-2011-1184 * This package does _not_ contain the changes that were in 6.0.28-2ubuntu1.3 in -proposed. -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Mon, 26 Sep 2011 11:48:20 -0400 ** Changed in: tomcat6 (Ubuntu Lucid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/843701 Title: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat5.5/+bug/843701/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs