Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Mageia 8: 2023-0138 Critical: Tomcat Information Disclosure and Fixes

mageia
Calendar Grey April 15, 2023
Dist Mageia Esm H88
Newly released Mageia tomcat updates patch significant security flaws identified as of April 15, 2023.
Information disclosure due to concurrency bug (CVE-2021-43980) Fix for CVE-2020-9484 introduced a time of check, time of use vulnerability (CVE-2022-23181) Correct documentation to...

Summary

Information disclosure due to concurrency bug (CVE-2021-43980) Fix for CVE-2020-9484 introduced a time of check, time of use vulnerability (CVE-2022-23181) Correct documentation to warn of use over untrusted networks. (CVE-2022-29885) Correct documentation showing use of XSS vulnerability. (CVE-2022-34305) Fix to reject invalid Content-Length header (CVE-2022-42252) Fix FileUpload limiting of the number of request parts to be processed to prevent the possibility of an attacker triggering a DoS (CVE-2023-24998) Fix setting of session cookie secure attribute when using RemoteIpFilter with X-Forwarded-Proto header set to https (CVE-2023-28708) Obsolete tomcat-jsvc

References

- https://bugs.mageia.org/show_bug.cgi?id=30113

- https://lists.suse.com/pipermail/sle-security-updates/2022-March/010339.html

- https://lists.suse.com/pipermail/sle-security-updates/2022-April/010734.html

- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.65

- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.62

- https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html

- https://lists.debian.org/debian-security-announce/2022/msg00235.html

- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.68

- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.69

- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.71

- https://lists.suse.com/pipermail/sle-security-updates/2023-March/014018.html

- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.72

- https://www.cve.org/CVERecord?id=CVE-2021-43980

- https://www.cve.org/CVERecord?id=CVE-2022-23181

- https://www.cve.org/CVERecord?id=CVE-2022-29885

- https://www.cve.org/CVERecord?id=CVE-2022-34305

- https://www.cve.org/CVERecord?id=CVE-2022-42252

- https://www.cve.org/CVERecord?id=CVE-2022-45143

- https://www.cve.org/CVERecord?id=CVE-2023-24998

- https://www.cve.org/CVERecord?id=CVE-2023-28708

Topics%20covered

Topics Covered

security advisory critical DoS attack information disclosure Tomcat Mageia concurrency bug

Resolution

SRPMS

- 8/core/tomcat-9.0.73-1.1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 15 Apr 2023
URL: https://advisories.mageia.org/MGASA-2023-0138.html
Type: security
CVE: CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998, CVE-2023-28708

Topics%20covered

Topics Covered

security advisory critical DoS attack information disclosure Tomcat Mageia concurrency bug

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here