Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.A flaw was found in the way Tomcat handled the Transfer-Encoding header inHTTP requests. A specially-crafted HTTP request could prevent Tomcat fromsending replies, or cause Tomcat to return truncated replies, or repliescontaining data related to the requests of other users, for all subsequentHTTP requests. (CVE-2010-2227)The Tomcat security update RHSA-2009:1164 did not, unlike the erratum textstated, provide a fix for CVE-2009-0781, a cross-site scripting (XSS) flawin the examples calendar application. With some web browsers, remoteattackers could use this flaw to inject arbitrary web script or HTML viathe "time" parameter. (CVE-2009-2696)Two directory traversal flaws were found in the Tomcat deployment process.A specially-crafted WAR file could, when deployed, cause a file to becreated outside of the web root into any directory writable by the Tomcatuser, or could lead to the deletion of files in the Tomcat host's workdirectory. (CVE-2009-2693, CVE-2009-2902)Users of Tomcat should upgrade to these updated packages, which containbackported patches to resolve these issues. Tomcat must be restarted forthis update to take effect.