-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: tomcat security and bug fix update
Advisory ID:       RHSA-2020:4004-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4004
Issue date:        2020-09-29
CVE Names:         CVE-2019-17563 CVE-2020-13935 
====================================================================
1. Summary:

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch
Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

Security Fix(es):

* tomcat: multiple requests with invalid payload length in a WebSocket
frame could lead to DoS (CVE-2020-13935)

* tomcat: session fixation when using FORM authentication (CVE-2019-17563)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1523112 - tomcat systemd does not cope with - in service names.
1629162 - tomcat-dbcp.jar is missing from tomcat package
1785711 - CVE-2019-17563 tomcat: session fixation when using FORM authentication
1795645 - connection leak with StatementCache, SlowQueryReport or StatementDecoratorInterceptor
1822453 - Tomcat parses a request having an absolute URI path incorrectly and returns 404 Not Found after BZ#1455483
1831127 - Failed to install ipa-server
1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
tomcat-7.0.76-15.el7.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
tomcat-7.0.76-15.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-javadoc-7.0.76-15.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-jsvc-7.0.76-15.el7.noarch.rpm
tomcat-lib-7.0.76-15.el7.noarch.rpm
tomcat-webapps-7.0.76-15.el7.noarch.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
tomcat-7.0.76-15.el7.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
tomcat-7.0.76-15.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-javadoc-7.0.76-15.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-jsvc-7.0.76-15.el7.noarch.rpm
tomcat-lib-7.0.76-15.el7.noarch.rpm
tomcat-webapps-7.0.76-15.el7.noarch.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
tomcat-7.0.76-15.el7.src.rpm

noarch:
tomcat-7.0.76-15.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-lib-7.0.76-15.el7.noarch.rpm
tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm
tomcat-webapps-7.0.76-15.el7.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
tomcat-7.0.76-15.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-javadoc-7.0.76-15.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-jsvc-7.0.76-15.el7.noarch.rpm
tomcat-lib-7.0.76-15.el7.noarch.rpm
tomcat-webapps-7.0.76-15.el7.noarch.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
tomcat-7.0.76-15.el7.src.rpm

noarch:
tomcat-7.0.76-15.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm
tomcat-lib-7.0.76-15.el7.noarch.rpm
tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm
tomcat-webapps-7.0.76-15.el7.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm
tomcat-javadoc-7.0.76-15.el7.noarch.rpm
tomcat-jsvc-7.0.76-15.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-17563
https://access.redhat.com/security/cve/CVE-2020-13935
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3OiY9zjgjWX9erEAQgqqA/9HTfIiDPjqK6pYMXxn2PGkYe6FGsTtpE2
h0pxDLTsLo6mOTWwEOyDU6kInaQphhrl7d38Js1Ayp/cXJdV8+V3QN8yXf043oHI
wMeMqMOLt40npLYhCaPnX1MsLdoKIOl6AbMcMVOHI+DhnvQ3eyXJoGVpcf8PZ6Dg
TyiAd5Bfi1eALAr7RDV3+8gX6PulNdyI4VcuWJGaexVI413vkg/SVUK7OteIry7u
Qa7S0DHArzFS2xEfcMR44u8Lq4RqjKm4OB3l0Fj0b+ufaDe5BbJ6SNykCj/KO1v0
mdl5PzJUWNhcJU8SXkb5hFUmXCiQSPVW8sDdMNkxKKtWr8KogmV9f2ITA/kXikZT
UqoPeXOdMz7UDrA7J8rlKjtndnnNkKiSyNA+apUhwq8GWJSM6SOIKAuzNf3TS6ZB
mYnOXCtmankGQ3SVoubC+uIY0mE/hOpZsvnRFlN/ELXUGxGQOZALuPqpXG2sp+02
JvegnEm2o0pmiH/ZDYws+0EsTUk6HvMJHmc3nfZnUFC5oaqqx4HcxS/z0Yz79axW
c8Qrnmtdp4gGfwL7UBSb+3fORiI8532v33j3AuSD0L020RC4QvMewWiDVYj3FRgO
3Dr0pX/w6nsGu1AjKEeeYKTqKLKFOd2+UlAKTNwwm6Su9TknfuDsN0tuVZ9BxGmu
sxGJi/Xc9Fo=xQ36
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-4004:01 Important: tomcat security and bug fix update

An update for tomcat is now available for Red Hat Enterprise Linux 7

Summary

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)
* tomcat: session fixation when using FORM authentication (CVE-2019-17563)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2019-17563 https://access.redhat.com/security/cve/CVE-2020-13935 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: tomcat-7.0.76-15.el7.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch: tomcat-7.0.76-15.el7.noarch.rpm tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-javadoc-7.0.76-15.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-jsvc-7.0.76-15.el7.noarch.rpm tomcat-lib-7.0.76-15.el7.noarch.rpm tomcat-webapps-7.0.76-15.el7.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: tomcat-7.0.76-15.el7.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch: tomcat-7.0.76-15.el7.noarch.rpm tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-javadoc-7.0.76-15.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-jsvc-7.0.76-15.el7.noarch.rpm tomcat-lib-7.0.76-15.el7.noarch.rpm tomcat-webapps-7.0.76-15.el7.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: tomcat-7.0.76-15.el7.src.rpm
noarch: tomcat-7.0.76-15.el7.noarch.rpm tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-lib-7.0.76-15.el7.noarch.rpm tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm tomcat-webapps-7.0.76-15.el7.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch: tomcat-7.0.76-15.el7.noarch.rpm tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-javadoc-7.0.76-15.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-jsvc-7.0.76-15.el7.noarch.rpm tomcat-lib-7.0.76-15.el7.noarch.rpm tomcat-webapps-7.0.76-15.el7.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: tomcat-7.0.76-15.el7.src.rpm
noarch: tomcat-7.0.76-15.el7.noarch.rpm tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm tomcat-lib-7.0.76-15.el7.noarch.rpm tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm tomcat-webapps-7.0.76-15.el7.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch: tomcat-docs-webapp-7.0.76-15.el7.noarch.rpm tomcat-javadoc-7.0.76-15.el7.noarch.rpm tomcat-jsvc-7.0.76-15.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:4004-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4004
Issued Date: : 2020-09-29
CVE Names: CVE-2019-17563 CVE-2020-13935

Topic

An update for tomcat is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - noarch

Red Hat Enterprise Linux Client Optional (v. 7) - noarch

Red Hat Enterprise Linux ComputeNode (v. 7) - noarch

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch

Red Hat Enterprise Linux Server (v. 7) - noarch

Red Hat Enterprise Linux Server Optional (v. 7) - noarch

Red Hat Enterprise Linux Workstation (v. 7) - noarch

Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch


Bugs Fixed

1523112 - tomcat systemd does not cope with - in service names.

1629162 - tomcat-dbcp.jar is missing from tomcat package

1785711 - CVE-2019-17563 tomcat: session fixation when using FORM authentication

1795645 - connection leak with StatementCache, SlowQueryReport or StatementDecoratorInterceptor

1822453 - Tomcat parses a request having an absolute URI path incorrectly and returns 404 Not Found after BZ#1455483

1831127 - Failed to install ipa-server

1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS