Mageia 2019-0260: tomcat security update

    Date08 Sep 2019
    CategoryMageia
    1129
    Posted ByLinuxSecurity Advisories
    Updated tomcat packages fix security vulnerabilities: The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for
    MGASA-2019-0260 - Updated tomcat packages fix security vulnerabilities
    
    Publication date: 08 Sep 2019
    URL: https://advisories.mageia.org/MGASA-2019-0260.html
    Type: security
    Affected Mageia releases: 7
    CVE: CVE-2019-0199,
         CVE-2019-0221,
         CVE-2019-10072
    
    Updated tomcat packages fix security vulnerabilities:
    
    The HTTP/2 implementation accepted streams with excessive numbers of
    SETTINGS frames and also permitted clients to keep streams open without
    reading/writing request/response data. By keeping streams open for
    requests that utilised the Servlet API's blocking I/O, clients were able
    to cause server-side threads to block eventually leading to thread
    exhaustion and a DoS (CVE-2019-0199).
    
    The SSI printenv command echoes user provided data without escaping and
    is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv
    command is intended for debugging and is unlikely to be present in a
    production website (CVE-2019-0221).
    
    The fix for CVE-2019-0199 was incomplete and did not address HTTP/2
    connection window exhaustion on write. By not sending WINDOW_UPDATE
    messages for the connection window (stream 0) clients were able to cause
    server-side threads to block eventually leading to thread exhaustion and
    a DoS (CVE-2019-10072).
    
    The tomcat package has been updated to version 9.0.21 to fix these issues.
    The tomcat-native package has also been updated to version 1.2.23.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=24799
    - https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16
    - https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19
    - https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20
    - https://tomcat.apache.org/native-doc/miscellaneous/changelog.html
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
    
    SRPMS:
    - 7/core/tomcat-9.0.21-1.mga7
    - 7/core/tomcat-native-1.2.23-1.mga7
    

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":56.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":13.04,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"7","type":"x","order":"3","pct":30.43,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.