CESA-2016:2093

An update for bind is now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name

System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es)

* A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864)
Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges
Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.

Bugs fixed

Bug 1389652 – (CVE-2016-8864) CVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer
https://bugzilla.redhat.com/show_bug.cgi?id=1389652

CESA-2016:2046

An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es)

* It was discovered that the Tomcat packages installed configuration file/usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use
the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.

Bug Fixed
Bug 1222573 – (CVE-2014-7810) CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
https://bugzilla.redhat.com/show_bug.cgi?id=1222573
Bug 1311085 – (CVE-2015-5346) CVE-2015-5346 tomcat: Session fixation
https://bugzilla.redhat.com/show_bug.cgi?id=1311085
Bug 1353809 – (CVE-2016-5388) CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
https://bugzilla.redhat.com/show_bug.cgi?id=1353809
Bug 1362545 – (CVE-2016-5425) CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
https://bugzilla.redhat.com/show_bug.cgi?id=1362545
Bug 1367447 – (CVE-2016-6325) CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1367447

CEBA-2016:2045

An update for tomcat6 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages
(JSP) technologies.

Security Fix(es):

* It was discovered that the Tomcat packages installed certain configuration
files read by the Tomcat initialization script as writeable to the tomcat group.
A member of the group or a malicious web application deployed on Tomcat could
use this flaw to escalate their privileges. (CVE-2016-6325)

* It was found that several Tomcat session persistence mechanisms could allow a
remote, authenticated user to bypass intended SecurityManager restrictions and
execute arbitrary code in a privileged context via a web application that placed
a crafted object in a session. (CVE-2016-0714)

* It was discovered that tomcat used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations to
configure the proxy for outgoing HTTP requests. A remote attacker could possibly
use this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

* A directory traversal flaw was found in Tomcat’s RequestUtil.java. A remote,
authenticated user could use this flaw to bypass intended SecurityManager
restrictions and list a parent directory via a ‘/..’ in a pathname used by a web
application in a getResource, getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)

* It was found that Tomcat could reveal the presence of a directory even when
that directory was protected by a security constraint. A user could make a
request to a directory via a URL not ending with a slash and, depending on
whether Tomcat redirected that request, could confirm whether that directory
existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a
web application when a security manager was configured. This allowed a web
application to list all deployed web applications and expose sensitive
information such as session IDs. (CVE-2016-0706)

Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388.
The CVE-2016-6325 issue was discovered by Red Hat Product Security.

Bug Fix(es):

* Due to a bug in the tomcat6 spec file, the catalina.out file’s md5sum, size,
and mtime attributes were compared to the file’s attributes at installation
time. Because these attributes change after the service is started, the “rpm -V”
command previously failed. With this update, the attributes mentioned above are
ignored in the RPM verification and the catalina.out file now passes the
verification check. (BZ#1357123)

Bugs Fixed

CEBA-2016:2005

Updated libtirpct packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The libtirpc packages contain SunLib’s implementation of transport-independent remote procedure call (TI-RPC) documentation, which includes a library required by programs in the nfs-utils and rpcbind packages.