SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7003)
Medium Nessus Plugin ID 46170
SynopsisThe remote SuSE 10 host is missing a security-related patch.
DescriptionThis update of Apache Tomcat 5 fixes the following security issues :
A directory traversal vulnerability allows remote attackers to create or overwrite arbitrary files and directories with a specially crafted WAR file (CVE-2009-2693 / CVE-2009-2902). When autoDeploy is enabled, the automatic deployment process deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.
Note that this is a re-release of the security update to correct a regression. The previous patch caused tomcat to delete files it spuriously associated with a failed undeploy.
SolutionApply ZYPP patch number 7003.