Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -1 articles for you...
89
security advisoryupdateFedoraFedora 41: trafficserver 2025-c634be56bc Security Advisory Updates
Changes with Apache Traffic Server 9.2.9 #12071 - Fix chunked pipelined requests #12075 - Fix send 100 Continue optimization for GET #12077 - Fix intercept plugin ignoring ACL #12079 - ACL combination tests for 9.2.x. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-c634be56bc 2025-03-14 04:38:00.634500+00:00 -------------------------------------------------------------------------------- Name : trafficserver Product : Fedora 41 Version : 9.2.9 Release : 1.fc41 URL : https://trafficserver.apache.org/ Summary : Fast, scalable and extensible HTTP/1.1 and HTTP/2 caching proxy server Description : Traffic Server is a high-performance building block for cloud services. It's more than just a caching proxy server; it also has support for plugins to build large scale web applications. Key features: Caching - Improve your response time, while reducing server load and bandwidth needs by caching and reusing frequently-requested web pages, images, and web service calls. Proxying - Easily add keep-alive, filter or anonymize content requests, or add load balancing by adding a proxy layer. Fast - Scales well on modern SMP hardware, handling 10s of thousands of requests per second. Extensible - APIs to write your own plug-ins to do anything from modifying HTTP headers to handling ESI requests to writing your own cache algorithm. Proven - Handling over 400TB a day at Yahoo! both as forward and reverse proxies, Apache Traffic Server is battle hardened. -------------------------------------------------------------------------------- Update Information: Changes with Apache Traffic Server 9.2.9 #12071 - Fix chunked pipelined requests #12075 - Fix send 100 Continue optimization for GET #12077 - Fix intercept plugin ignoring ACL #12079 - ACL combination tests for 9.2.x -------------------------------------------------------------------------------- ChangeLog: * WedMar 5 2025 Jered Floyd 9.2.9-1 - Update to upstream 9.2.9 - Resolves CVE-2024-38311, CVE-2024-56195, CVE-2024-56196, CVE-2024-56202 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2350625 - CVE-2024-56195 trafficserver: Apache Traffic Server: Intercept plugins are not access controlled [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2350625 [ 2 ] Bug #2350627 - CVE-2024-56202 trafficserver: Apache Traffic Server: Expect header field can unreasonably retain resource [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2350627 [ 3 ] Bug #2350629 - CVE-2024-38311 trafficserver: Apache Traffic Server: Request smuggling via pipelining after a chunked message body [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2350629 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-c634be56bc' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Mar 14, 2025
•Important
Fedora
202
security advisorysecurity issueupdateopenSUSE 15.4-15.5: 2023:4513-1 critical: apache2-mod_jk path traversal
This update for apache2-mod_jk fixes the following issues: Update to version 1.2.49: Apache Retrieve default request id from mod_unique_id. It can also be taken from an arbitrary environment variable by. # Security update for apache2-mod_jk Announcement ID: SUSE-SU-2023:4513-1 Rating: important References: * bsc#1114612 Cross-References: * CVE-2018-11759 CVSS scores: * CVE-2018-11759 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2018-11759 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: * openSUSE Leap 15.4 * openSUSE Leap 15.5 * Server Applications Module 15-SP4 * Server Applications Module 15-SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for apache2-mod_jk fixes the following issues: Update to version 1.2.49: Apache * Retrieve default request id from mod_unique_id. It can also be taken from an arbitrary environment variable by configuring "JkRequestIdIndicator". * Don't delegate the generatation of the response body to httpd when the status code represents an error if the request used the HEAD method. * Only export the main module symbol. Visibility of module internal symbols led to crashes when conflicting with library symbols. Based on a patch provided by Josef Äejka. * Remove support for implicit mapping of requests to workers. All mappings must now be explicit. IIS * Set default request id as a GUID. It can also be taken from an arbitrary request headerby configuring "request_id_header". * Fix non-empty check for the Translate header. Common * Fix compiler warning when initializing and copying fixed length strings. * Add a request id to mod_jk log lines. * Enable configure to find the correct sizes for pid_t and pthread_t when building on MacOS. * Fix Clang 15/16 compatability. Pull request #6 provided by Sam James. * Improve XSS hardening in status worker. * Add additional bounds and error checking when reading AJP messages. Docs * Remove support for the Netscape / Sun ONE / Oracle iPlanet Web Server as the product has been retired. * Remove links to the old JK2 documentation. The JK2 documentation is still available, it is just no longer linked from the current JK documentation. * Restructure subsections in changelog starting with version 1.2.45. Changes for 1.2.47 and 1.2.48 updates: * Add: Apache: Extend trace level logging of method entry/exit to aid debugging of request mapping issues. * Fix: Apache: Fix a bug in the normalization checks that prevented file based requests, such as SSI file includes, from being processed. * Fix: Apache: When using JkAutoAlias, ensure that files that include spaces in their name are accessible. * Update: Common: Update the documentation to reflect that the source code for the Apache Tomcat Connectors has moved from Subversion to Git. * Fix: Common: When using set_session_cookie, ensure that an updated session cookie is issued if the load-balancer has to failover to a different worker. * Update: Common: Update config.guess and config.sub from https://git.savannah.gnu.org/git/config.git/ * Update: Common: Update release script for migration to git. Update to version 1.2.46 Fixes: * Apache: Fix regression in 1.2.44 which resulted in socket_connect_timeout to be interpreted in units of seconds instead of milliseconds on platforms that provide poll(). (rjung) * Security: CVE-2018-11759 Connector path traversal [bsc#1114612] Update to version 1.2.45 Fixes: * Correct regression in 1.2.44 that broke request handling for OPTIONS* requests. (rjung) * Improve path parameter parsing so that the session ID specified by the session_path worker property for load-balanced workers can be extracted from a path parameter in any segment of the URI, rather than only from the final segment. (markt) * Apache: Improve path parameter handling so that JkStripSession can remove session IDs that are specified on path parameters in any segment of the URI rather than only the final segment. (markt) * IIS: Improve path parameter handling so that strip_session can remove session IDs that are specified on path parameters in any segment of the URI rather than only the final segment. (markt) Updates: * Apache: Update the documentation to note additional limitations of the JkAutoAlias directive. (markt) Code: * Common: Optimize path parameter handling. (rjung) Update to version 1.2.44 Updates: * Remove the Novell Netware make files and Netware specific source code since there has not been a supported version of Netware available for over five years. (markt) * Apache: Update the documentation to use httpd 2.4.x style access control directives. (markt) * Update PCRE bundled with the ISAPI redirector to 8.42. (rjung) * Update config.guess and config.sub from https://git.savannah.gnu.org/git/config.git/ (rjung) Fixes: * Common: Use Local, rather than Global, mutexs on Windows to better support multi-user environments. (markt) * Apache: Use poll rather than select to avoid the limitations of select triggering an httpd crash. Patch provided by Koen Wilde. (markt) * ISAPI: Remove the check that rejects requests that contain path segments that match WEB-INF or META-INF as it duplicates a check that Tomcat performs and, because ISAPI does not have visibility of the current context path, it is impossible to implement this check without valid requests being rejected. (markt) * Refactor normalisation of request URIs to a common location and align the normalisation implementation for mod_jk with that implemented by Tomcat. (markt) Add: * Clarify the behvaiour of lb workerswhen all ajp13 workers fail with particular reference to the role of the retries attribute. (markt) * Add the new load-balancer worker property lb_retries to improve the control over the number of retries. Based on a patch provided by Frederik Nosi. (markt) * Add a note to the documentation that the CollapseSlashes options are now effectively hard-coded to CollpaseSlashesAll due to the changes made to align normalization with that implemented in Tomcat. (markt) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4513=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4513=1 * Server Applications Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2023-4513=1 * Server Applications Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP5-2023-4513=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1 * apache2-mod_jk-debugsource-1.2.49-150100.6.6.1 * apache2-mod_jk-1.2.49-150100.6.6.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1 * apache2-mod_jk-debugsource-1.2.49-150100.6.6.1 * apache2-mod_jk-1.2.49-150100.6.6.1 * Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64) * apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1 * apache2-mod_jk-debugsource-1.2.49-150100.6.6.1 * apache2-mod_jk-1.2.49-150100.6.6.1 * Server Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64) * apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1 * apache2-mod_jk-debugsource-1.2.49-150100.6.6.1 * apache2-mod_jk-1.2.49-150100.6.6.1 ## References: * https://www.suse.com/security/cve/CVE-2018-11759.html * https://bugzilla.suse.com/show_bug.cgi?id=1114612 .An update for apache2-mod_jk has been released, addressing critical vulnerabilities. It’s advisable to apply the suggested updates using zypper on your openSUSE system.. apache2-mod_jk update, SUSE security, important fixes. . Severity: Important. LinuxSecurity.com Team
Nov 21, 2023
•Important
OpenSUSE
197
security advisoryupdatedebianDebian 9: DLA-2405-1 Update: Httpcomponents-Client Security Fix
Oleg Kalnichevski discovered that httpcomponents-client, a Java library for building HTTP-aware applications, can misinterpret a malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2405-1
Oct 10, 2020
•Critical
Debian LTS
203
security advisoryapachesession managementMageia 6: 2019-0109 Moderate: Apache Session Management Issues
By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections in Apache HTTP Server versions 2.4.37 and prior (CVE-2018-17189). . MGASA-2019-0109 - Updated apache packages fix security vulnerability Publication date: 14 Mar 2019 URL: https://advisories.mageia.org/MGASA-2019-0109.html Type: security Affected Mageia releases: 6 CVE: CVE-2018-17189, CVE-2018-17199 By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections in Apache HTTP Server versions 2.4.37 and prior (CVE-2018-17189). In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded (CVE-2018-17199). The apache package has been updated to version 2.4.38, fixing these issues and several other bugs. See the upstream CHANGES files for details. References: - https://bugs.mageia.org/show_bug.cgi?id=24226 - - https://httpd.apache.org/security/vulnerabilities_24.html - https://www.cve.org/CVERecord?id=CVE-2018-17189 - https://www.cve.org/CVERecord?id=CVE-2018-17199 SRPMS: - 6/core/apache-2.4.38-1.mga6 . MGASA-2019-0109 - Updated apache packages fix security vulnerability Publication date: 14 Mar 2019 U. request, sending, bodies, loris, plain, resources, stream. . Severity: Important. LinuxSecurity.com Team
Mar 14, 2019
•Important
Mageia
89
security advisorysecurity updateFedoraFedora 28: 2018-4a606489ae Critical: php-Zendframework URI Handling
## 1.8.4 - 2018-08-01 ### Added - Nothing. ### Changed - This release modifies how `ServerRequestFactory` marshals the request URI. In prior releases, we would attempt to inspect the `X-Rewrite-Url` and `X-Original-Url` headers, using their values, if present. These headers are issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). However, we have no. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-4a606489ae 2018-08-14 21:06:35.949652 --------------------------------------------------------------------------------Name : php-zendframework-zend-diactoros Product : Fedora 28 Version : 1.8.4 Release : 1.fc28 URL : https://zendframework.github.io/zend-diactoros/ Summary : PSR HTTP Message implementations Description : A PHP package containing implementations of the accepted PSR-7 HTTP message interfaces [1], as well as a "server" implementation similar to node's http.Server [2]. Documentation: https://zendframework.github.io/zend-diactoros/ Autoloader: /usr/share/php/Zend/Diactoros/autoload.php [1] https://www.php-fig.org/psr/psr-7/ [2] https://nodejs.org/api/http.html --------------------------------------------------------------------------------Update Information: ## 1.8.4 - 2018-08-01 ### Added - Nothing. ### Changed - This release modifies how `ServerRequestFactory` marshals the request URI. In prior releases, we would attempt to inspect the `X-Rewrite-Url` and `X-Original-Url` headers, using their values, if present. These headers are issued by the ISAPI_Rewrite module for IIS (developed by HeliconTech). However, we have no way of guaranteeing that the module is what issued the headers, making it an unreliable source for discovering the URI. As such, we have removed this feature in this release of Diactoros. If you are developing a middleware application, you can mimic the functionality via middleware as follows: ``` usePsr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\RequestHandlerInterface; use Zend\Diactoros\Uri; public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface { $requestUri = null; $httpXRewriteUrl = $request-> getHeaderLine('X-Rewrite-Url'); if ($httpXRewriteUrl !== null) { $requestUri = $httpXRewriteUrl; } $httpXOriginalUrl = $request-> getHeaderLine('X-Original-Url'); if ($httpXOriginalUrl !== null) { $requestUri = $httpXOriginalUrl; } if ($requestUri !== null) { $request = $request-> withUri(new Uri($requestUri)); } return $handler-> handle($request); } ``` If you use middleware such as the above, make sure you also instruct your web server to strip any incoming headers of the same name so that you can guarantee they are issued by the ISAPI_Rewrite module. ### Deprecated -Nothing. ### Removed - Nothing. ### Fixed - Nothing. ## 1.8.3 - 2018-07-24 ### Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ### Removed - Nothing. ### Fixed - [#321](https://github.com/zendframework/zend-diactoros/pull/321) updates the logic in `Uri::withPort()` to ensure that it checks that the value provided is either an integer or a string integer, as only those values may be cast to integer without data loss. -[#320](https://github.com/zendframework/zend-diactoros/pull/320) adds checking within `Response` to ensure that the provided reason phrase is a string; an `InvalidArgumentException` is now raised if it is not. This change ensures the class adheres strictly to the PSR-7 specification. -[#319](https://github.com/zendframework/zend-diactoros/pull/319) provides a fix to `Zend\Diactoros\Response` that ensures that the status code returned is _always_ an integer (and never a string containing an integer), thus ensuring it strictly adheres to the PSR-7 specification. ## 1.8.2 -2018-07-19 ### Added - Nothing. ### Changed - Nothing. ### Deprecated - Nothing. ### Removed - Nothing. ### Fixed - [#318](https://github.com/zendframework/zend-diactoros/pull/318) fixes the logic for discovering whether an HTTPS scheme is in play to be case insensitive when comparing header and SAPI values, ensuring no false negative lookups occur. - [#314](https://github.com/zendframework /zend-diactoros/pull/314) modifies error handling around opening a file resource within `Zend\Diactoros\Stream::setStream()` to no longer use the second argument to `set_error_handler()`, and instead check the error type in the handler itself; this fixes an issue when the handler is nested inside another error handler, which currently has buggy behavior within the PHP engine. ## 1.8.1 - 2018-07-09 ### Added - Nothing. ### Changed -[#313](https://github.com/zendframework/zend-diactoros/pull/313) changes the reason phrase associated with the status code 425 to "Too Early", corresponding to a new definition of the code as specified by the IANA. ### Deprecated - Nothing. ### Removed - Nothing. ### Fixed -[#312](https://github.com/zendframework/zend-diactoros/pull/312) fixes how the `normalizeUploadedFiles()` utility function handles nested trees of uploaded files, ensuring it detects them properly. ## 1.8.0 - 2018-06-27 ### Added -[#307](https://github.com/zendframework/zend-diactoros/pull/307) adds the following functions under the `Zend\Diactoros` namespace, each of which may be used to derive artifacts from SAPI supergloabls for the purposes of generating a `ServerRequest` instance: - `normalizeServer(array $server, callable $apacheRequestHeaderCallback = null) : array` (main purpose is to aggregate the `Authorization` header in the SAPI params when under Apache) -`marshalProtocolVersionFromSapi(array $server) : string` -`marshalMethodFromSapi(array $server) : string` - `marshalUriFromSapi(array $server, array $headers) : Uri` -`marshalHeadersFromSapi(array $server) : array` - `parseCookieHeader(string $header) : array` -`createUploadedFile(array $spec) : UploadedFile` (creates the instance from a normal `$_FILES` entry) - `normalizeUploadedFiles(array $files) : UploadedFileInterface[]` (traverses a potentially nested array of uploaded file instances and/or `$_FILES` entries, including those aggregated under mod_php, php-fpm, and php-cgi in order to create a flat array of `UploadedFileInterface` instances to use in a request) ### Changed -Nothing. ### Deprecated - [#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::normalizeServer()`; the method is no longer used internally, and users should instead use `Zend\Diactoros\normalizeServer()`, to which it proxies. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalHeaders()`; the method is no longer used internally, and users should instead use `Zend\Diactoros\marshalHeadersFromSapi()`, to which it proxies. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalUriFromServer()`; the method is no longer used internally. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalRequestUri()`. the method is no longer used internally, and currently proxies to `marshalUriFromSapi()`, pulling the discovered path from the `Uri` instance returned by that function. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::marshalHostAndPortFromHeaders()`; the method is no longer used internally, and currently proxies to `marshalUriFromSapi()`, pulling the discovered host and port from the `Uri` instance returned by that function. Users should use `marshalUriFromSapi()` instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::getHeader()`; the method is no longer used internally. Users should copy and paste the functionality into their own applications if needed, or rely on headers from a fully-populated `Uri` instance instead. -[#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::stripQueryString()`; the method is no longer used internally, and users can mimic the functionality via the expression `$path explode('?', $path, 2)[0];`. - [#307](https://github.com/zendframework/zend-diactoros/pull/307) deprecates `ServerRequestFactory::normalizeFiles()`; the functionality is no longer used internally, and users can use `normalizeUploadedFiles()` as a replacement. -[#303](https://github.com/zendframework/zend-diactoros/pull/303) deprecates `Zend\Diactoros\Response\EmitterInterface` and its various implementations. These are now provided via the [zendframework/zend-httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner/) package as 1:1 substitutions. - [#303](https://github.com/zendframework/zend-diactoros/pull/303) deprecates the `Zend\Diactoros\Server` class. Users are directed to the `RequestHandlerRunner` class from the [zendframework/zend-httphandlerrunner](https://docs.zendframework.com/zend-httphandlerrunner/) package as an alternative. ### Removed - Nothing. ### Fixed - Nothing. --------------------------------------------------------------------------------ChangeLog: * Thu Aug 2 2018 Shawn Iwinski - 1.8.4-1 - Update to 1.8.4 (RHBZ #1504401 / ZF2018-01 / CVE-2018-14773 / CVE-2018-14774) * Fri Jul 13 2018 Fedora Release Engineering - 1.7.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Wed May 30 2018 Remi Collet - 1.7.2-1 - update to 1.7.2 --------------------------------------------------------------------------------References: [ 1 ] Bug #1504401 -php-zendframework-zend-diactoros-1.8.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1504401 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-4a606489ae' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Aug 14, 2018
•Critical
Fedora
89
security advisorysecurity issueFedoraFedora 28 Jetty: 2018-48b73ed393 Moderate: HTTP Request Handling Issues
Update to upstream version 9.4.11. Fixes CVE-2017-7656, CVE-2017-7657, CVE-2017-7658.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-48b73ed393 2018-07-12 14:18:11.697410 --------------------------------------------------------------------------------Name : jetty Product : Fedora 28 Version : 9.4.11 Release : 2.v20180605.fc28 URL : https://jetty.org/ Summary : Java Webserver and Servlet Container Description : Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms. --------------------------------------------------------------------------------Update Information: Update to upstream version 9.4.11. Fixes CVE-2017-7656, CVE-2017-7657, CVE-2017-7658. --------------------------------------------------------------------------------ChangeLog: * Mon Jul 2 2018 Michael Simacek - 9.4.11-2.v20180605 - Fix missing classes in start.jar * Fri Jun 8 2018 Michael Simacek - 9.4.11-1.v20180605 - Update to upstream version 9.4.11.v20180605 * Wed May 9 2018 Michael Simacek - 9.4.10-1.v20180503 - Update to upstream version 9.4.10.v20180503 * Mon Apr 30 2018 Michael Simacek - 9.4.10-0.1.RC1 - Update to upstream version 9.4.10.RC1 --------------------------------------------------------------------------------References: [ 1 ] Bug #1595620 - CVE-2017-7657 jetty: HTTP request smuggling https://bugzilla.redhat.com/show_bug.cgi?id=1595620 [ 2 ] Bug #1595621 - CVE-2017-7658 jetty: Incorrect header handling https://bugzilla.redhat.com/show_bug.cgi?id=1595621 [ 3 ] Bug #1595639 - CVE-2017-7656 jetty: HTTP request smuggling using the range header https://bugzilla.redhat.com/show_bug.cgi?id=1595639 [ 4 ] Bug #1597418 - CVE-2018-12536 jetty: full server path revealed when using the default Error Handling https://bugzilla.redhat.com/show_bug.cgi?id=1597418 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-48b73ed393' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Jul 12, 2018
Fedora
87
security advisorycriticaldebianDebian: DSA-3843-1 Urgent: Tomcat8 Security Vulnerabilities Addressed
Two vulnerabilities were discovered in tomcat7, a servlet and JSP engine. CVE-2017-5647 . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3842-1
May 03, 2017
•Critical
Debian
197
security advisorycriticaldebianDebian 7 Wheezy DLA-924-1 Critical: Tomcat7 Request Issues
Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2017-5647 . Hash: SHA512 Package : tomcat7 Version : 7.0.28-4+deb7u12 CVE ID : CVE-2017-5647 CVE-2017-5648 Debian Bug : 860068 Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2017-5647 A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. CVE-2017-5648 It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. For Debian 7 "Wheezy", these problems have been fixed in version 7.0.28-4+deb7u12. We recommend that you upgrade your tomcat7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Serious flaws addressed in tomcat7 within Debian LTS DLA-924-1. Update promptly to ensure web application protection.. Tomcat7 Update, Debian Security, Tomcat Vulnerability. . Severity: Critical. LinuxSecurity.com Team
Apr 28, 2017
•Critical
Debian LTS
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!