This bug was fixed in the package tomcat6 - 6.0.28-10ubuntu2.2
--------------- tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low
* SECURITY UPDATE: information disclosure via log file - debian/patches/0015-CVE-2011-2204.patch: fix logging in java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java, java/org/apache/catalina/users/MemoryUserDatabase.java, java/org/apache/catalina/users/MemoryUser.java. - CVE-2011-2204 * SECURITY UPDATE: file restriction bypass or denial of service via untrusted web application. - debian/patches/0016-CVE-2011-2526.patch: check canonical name in java/org/apache/catalina/connector/LocalStrings.properties, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2011-2526 * SECURITY UPDATE: AJP request spoofing and authentication bypass (LP: #843701) - debian/patches/0017-CVE-2011-3190.patch: Properly handle request bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java. - CVE-2011-3190 * SECURITY UPDATE: HTTP DIGEST authentication weaknesses - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in java/org/apache/catalina/authenticator/DigestAuthenticator.java, java/org/apache/catalina/authenticator/LocalStrings.properties, java/org/apache/catalina/authenticator/mbeans-descriptors.xml, java/org/apache/catalina/realm/RealmBase.java, webapps/docs/config/valve.xml. - CVE-2011-1184 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:27:14 -0400
This bug was fixed in the package tomcat6 - 6.0.28-10ubuntu2.2
--------------- 10ubuntu2. 2) natty-security; urgency=low
tomcat6 (6.0.28-
* SECURITY UPDATE: information disclosure via log file patches/ 0015-CVE- 2011-2204. patch: fix logging in org/apache/ catalina/ mbeans/ MemoryUserDatab aseMBean. java, org/apache/ catalina/ users/MemoryUse rDatabase. java, org/apache/ catalina/ users/MemoryUse r.java. patches/ 0016-CVE- 2011-2526. patch: check canonical name in org/apache/ catalina/ connector/ LocalStrings. properties, org/apache/ catalina/ connector/ Request. java, org/apache/ catalina/ servlets/ DefaultServlet. java, org/apache/ coyote/ http11/ Http11AprProces sor.java, org/apache/ coyote/ http11/ LocalStrings. properties, org/apache/ tomcat/ util/net/ AprEndpoint. java, org/apache/ tomcat/ util/net/ NioEndpoint. java. patches/ 0017-CVE- 2011-3190. patch: Properly handle request apache/ coyote/ ajp/AjpAprProce ssor.java, org/apache/ coyote/ ajp/AjpProcesso r.java. patches/ 0018-CVE- 2011-1184. patch: add new nonce options in org/apache/ catalina/ authenticator/ DigestAuthentic ator.java, org/apache/ catalina/ authenticator/ LocalStrings. properties, org/apache/ catalina/ authenticator/ mbeans- descriptors. xml, org/apache/ catalina/ realm/RealmBase .java, docs/config/ valve.xml.
- debian/
java/
java/
java/
- CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/
java/
java/
java/
java/
java/
java/
java/
- CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
(LP: #843701)
- debian/
bodies in java/org/
java/
- CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/
java/
java/
java/
java/
webapps/
- CVE-2011-1184
-- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:27:14 -0400