=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN248
_____________________________________________________________________

DATE                      : 06/07/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell ZENworks Linux Management version 7.3.

======================================================================
http://www.novell.com/support/viewContent.do?externalId=7006398
______________________________________________________________________

Tomcat 5.0.28 in ZLM 7.3 subject to "Multiple Vendor Multiple HTTP Request
Smuggling Vulnerabilities"

This document (7006398) is provided subject to the disclaimer at the end
of this document.


Environment
Novell ZENworks 7.3 Linux Management - ZLM7.3


Situation
Tomcat 5.0.28, which is used by ZLM, is subject to several security
vulnerabilities:

CVE-2005-2090
CVE-2007-1858
CVE-2007-2449
CVE-2007-2450
CVE-2007-5333
CVE-2008-0128
CVE-2008-1232
CVE-2008-2370
CVE-2008-2938
CVE-2006-7195

For a list of Security vulnerabilities in Tomcat 5, refer to
http://tomcat.apache.org/security-5.html


Resolution
A fix for this issue is intended to be included in a future update
to the product: however, in the interim, Novell has made a Patch
available for testing, in the form of a Field Test File (FTF): it
can be obtained at http://download.novell.com/Download?buildid=n5vSzfHT1vs~
as ZLM 7.3 IR3 Tomcat 5.0.30. This Patch should only be applied if
the symptoms above are being experienced, and are causing problems.

This Patch has had limited testing, and should not be used in a production
system without first being checked in a test environment. Some Patches have
specific requirements for deployment, it is very important to follow any
instructions in the readme at the download site. Please report any problems
encountered when using this Patch, by using the feedback link on this TID.

Status
Security Alert
Document
Document ID:	7006398
Creation Date:	07-05-2010
Modified Date:	07-06-2010
Novell Product:	ZENworks Linux Management
Disclaimer

The Origin of this information may be internal or external to Novell. Novell
makes all reasonable efforts to verify this information. However, the information
provided in this document is for your information only. Novell makes no explicit
or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective
owners. Consult your product manuals for complete trademark information.
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================