-
Committer:
Bazaar Package Importer
-
Author(s):
Marc Deslauriers
-
Date:
2010-02-10 15:46:14 UTC
-
Revision ID:
james.westby@ubuntu.com-20100210154614-r0p99qzbu1g6kau1
Tags: 6.0.20-2ubuntu2.1
* SECURITY UPDATE: arbitrary file creation or overwrite from directory
traversal via a .. entry in a WAR file.
- CVE-2009-2693
* SECURITY UPDATE: authentication bypass via autodeployment process
- CVE-2009-2901
* SECURITY UPDATE: work-directory file deletion via directory traversal
sequences in a WAR filename.
- CVE-2009-2902
- debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
names and paths in java/org/apache/catalina/loader/
{LocalStrings.properties,WebappClassLoader.java},
java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
HostConfig.java,LocalStrings.properties}