Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
203
security advisorysecurity updatetomcatMageia 7: MGASA-2020-0397 Moderate: Tomcat HTTP/2 Stream Vulnerability Fix
If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected . MGASA-2020-0397 - Updated tomcat packages fix a security vulnerability Publication date: 29 Oct 2020 URL: https://advisories.mageia.org/MGASA-2020-0397.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-13943 If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources (CVE-2020-13943). References: - https://bugs.mageia.org/show_bug.cgi?id=27396 - https://tomcat.apache.org/security-9.html - https://www.cve.org/CVERecord?id=CVE-2020-13943 SRPMS: - 7/core/tomcat-9.0.38-1.mga7 . Mageia 2020-0398 updates nginx packages to fix a TLS vulnerability that could result in sensitive data leakage.. http2, tomcat update, mageia advisory, security fix, stream vulnerability. . LinuxSecurity.com Team
Oct 29, 2020
Mageia
200
security advisorysecurity fixenforcementSciLinux: SLSA-2019-2205-1 Moderate: tomcat Resource Exposure Issues
tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014) * tomcat: Host name verification miss [More...]. Synopsis: Moderate: tomcat security, bug fix, and enhancement update Advisory ID: SLSA-2019:2205-1 Issue Date: 2019-08-06 CVE Numbers: CVE-2018-1305 CVE-2018-1304 CVE-2018-8034 CVE-2018-8014 -- Security Fix(es): * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014) * tomcat: Host name verification missing in WebSocket client (CVE-2018-8034) -- SL7 x86_64 tomcat-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm noarch tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm tomcat-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm -Scientific Linux Development Team . Caution: Tomcat security notice regarding vulnerabilities and resolutions for SL7.x. Safeguard your system with the latest patches.. Tomcat Security, Resource Exposure, Security Fixes. . LinuxSecurity.com Team
Aug 26, 2019
Scientific Linux
98
security advisorymoderateRed HatRed Hat Enterprise Linux 7: RHSA-2019-2205-01 Moderate Tomcat Security
An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat security, bug fix, and enhancement update Advisory ID: RHSA-2019:2205-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2205 Issue date: 2019-08-06 CVE Names: CVE-2018-1304 CVE-2018-1305 CVE-2018-8014 CVE-2018-8034 ==================================================================== 1. Summary: An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es): * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can leadto resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014) * tomcat: Host name verification missing in WebSocket client (CVE-2018-8034) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1472950 - shutdown_wait option is not working for Tomcat 1548282 - CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources 1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins 1588703 - Backport of Negative maxCookieCount value causes exception for Tomcat 1607580 - CVE-2018-8034 tomcat: Host name verification missing in WebSocket client 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: tomcat-7.0.76-9.el7.src.rpm noarch: tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: tomcat-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm Red Hat Enterprise Linux ComputeNode (v.7): Source: tomcat-7.0.76-9.el7.src.rpm noarch: tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: tomcat-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: tomcat-7.0.76-9.el7.src.rpm noarch: tomcat-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: tomcat-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: tomcat-7.0.76-9.el7.src.rpm noarch: tomcat-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7.References: https://access.redhat.com/security/cve/CVE-2018-1304 https://access.redhat.com/security/cve/CVE-2018-1305 https://access.redhat.com/security/cve/CVE-2018-8014 https://access.redhat.com/security/cve/CVE-2018-8034 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXUl3udzjgjWX9erEAQjEqQ//cb18QLOP8tG2mfUHh6oMly9c0rGaBj5K oqF80bTSfIqAjQ7KYX7112PFYROJ74wMr9areVPNgPjMOF0zSXswL26EwDPIceUK g2NMmRZcaoFFHUjcqNy6EybRYLW2jLzmUf0PgjEWBuC6ldBkC64RuQkg9ZcJh/8T 3/KKA0p+Mtd0dPuqLpa5tgRdRWowlc58EBBIiXFd6bwcWpdjrz5kkz2qG0b9Fu1V FHph1Z5vVB70UMWrdgZ99z0G8rSjy3run4HgQia8VlIkHwNqJIYL+OGqCqvixWQK lZWVRR786gQl/f/PqYgEGNBPTQNpLndLcPf2DQmQYRotANnhXnsV8PblyOxKOm/8 v48naAvbNDGT6WByoHOLSOlj2XKT7E6bzQgdqmyNSPjxDsidovSffXj9V0AMJMvf eW/90vXKsZ83533t30IoSmCJi/BvBan9qNixDc9uqqmgKcCAHutb8q+D+HcUILfq 6C/EHPOlyHFZlzYGwGxB1fecjwIv51zklPjJ/M4R1P7FjL5gmiNmWOY7cNc15iEG n8yORHE5axgsCZs6TXepcffLfQRq4cxQPFziHHpJcuXLPa3hzW23WPZUkqz89y/l +zNP1N8wYKKRrT2/OblpS+6CxOxYcUtqSc/Uz50GGxreXgYu8L6EYz9kZk8qEtd6 dCDFxKTHa/E=IOQJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Aug 06, 2019
Red Hat
100
security advisorymoderatesoftware updateSUSE: 2018:3388-1 Moderate: Tomcat Security Fix for Denial of Service
An update that fixes 8 vulnerabilities is now available. . SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:3388-1 Rating: moderate References: #1078677 #1082480 #1082481 #1093697 #1102379 #1102400 #1102410 #1110850 Cross-References: CVE-2017-15706 CVE-2018-11784 CVE-2018-1304 CVE-2018-1305 CVE-2018-1336 CVE-2018-8014 CVE-2018-8034 CVE-2018-8037 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for tomcat to version 8.0.53 fixes the following security issues: - CVE-2018-11784: When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (bsc#1110850) - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400) - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379) - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410) - CVE-2018-1305: Fixed late application of security constraints that can lead to resource exposure for unauthorised users (bsc#1082481). - CVE-2018-1304: Fixed incorrect handling of empty string URL in security constraints that can lead to unitended exposure of resources (bsc#1082480). - CVE-2017-15706: Fixed incorrect documentation of CGI Servlet search algorithm that may lead to misconfiguration (bsc#1078677). - CVE-2018-8014: The defaults settings for the CORS filter were insecure and enable 'supportsCredentials' for all origins (bsc#1093697). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-2433=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2433=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): tomcat-8.0.53-10.35.1 tomcat-admin-webapps-8.0.53-10.35.1 tomcat-docs-webapp-8.0.53-10.35.1 tomcat-el-3_0-api-8.0.53-10.35.1 tomcat-javadoc-8.0.53-10.35.1 tomcat-jsp-2_3-api-8.0.53-10.35.1 tomcat-lib-8.0.53-10.35.1 tomcat-servlet-3_1-api-8.0.53-10.35.1 tomcat-webapps-8.0.53-10.35.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): tomcat-8.0.53-10.35.1 tomcat-admin-webapps-8.0.53-10.35.1 tomcat-docs-webapp-8.0.53-10.35.1 tomcat-el-3_0-api-8.0.53-10.35.1 tomcat-javadoc-8.0.53-10.35.1 tomcat-jsp-2_3-api-8.0.53-10.35.1 tomcat-lib-8.0.53-10.35.1 tomcat-servlet-3_1-api-8.0.53-10.35.1 tomcat-webapps-8.0.53-10.35.1 References: https://www.suse.com/security/cve/CVE-2017-15706.html https://www.suse.com/security/cve/CVE-2018-11784.html https://www.suse.com/security/cve/CVE-2018-1304.html https://www.suse.com/security/cve/CVE-2018-1305.html https://www.suse.com/security/cve/CVE-2018-1336.html https://www.suse.com/security/cve/CVE-2018-8014.html https://www.suse.com/security/cve/CVE-2018-8034.html https://www.suse.com/security/cve/CVE-2018-8037.html https://bugzilla.suse.com/1078677 https://bugzilla.suse.com/1082480 https://bugzilla.suse.com/1082481 https://bugzilla.suse.com/1093697 https://bugzilla.suse.com/1102379 https://bugzilla.suse.com/1102400 https://bugzilla.suse.com/1102410 https://bugzilla.suse.com/1110850 _______________________________________________ sle-security-updates mailing list
Oct 24, 2018
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!