Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Mageia 7: 2020-0138 Moderate: Tomcat HTTP Request Smuggling Risk

mageia
Calendar Grey March 10, 2020
Dist Mageia Esm H88
Enhanced Mageia tomcat updates address critical vulnerabilities such as request manipulation and AJP Connector threats.
The updated packages fix security vulnerabilities: The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression

Summary

The updated packages fix security vulnerabilities:
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2019-17569)
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2020-1935)
When using the Apache JServ Proto...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=26305

- http://lists.suse.com/pipermail/sle-security-updates/2020-March/006581.html

- https://tomcat.apache.org/security-9.html

- https://www.cve.org/CVERecord?id=CVE-2019-17569

- https://www.cve.org/CVERecord?id=CVE-2020-1935

- https://www.cve.org/CVERecord?id=CVE-2020-1938

Topics%20covered

Topics Covered

security advisory tomcat Mageia HTTP Request Smuggling AJP Connector

Resolution

SRPMS

- 7/core/tomcat-9.0.31-1.mga7

Publication date: 10 Mar 2020
URL: https://advisories.mageia.org/MGASA-2020-0138.html
Type: security
CVE: CVE-2019-17569, CVE-2020-1935, CVE-2020-1938

Topics%20covered

Topics Covered

security advisory tomcat Mageia HTTP Request Smuggling AJP Connector

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here