Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 527
Alerts This Week
Warning Icon 1 527

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 5 articles for you...
197

Debian 9 Stretch: DLA-2495-1 Moderate: Tomcat8 HTTP Header Leak

It was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an . - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2495-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Utkarsh Gupta December 16, 2020 https://wiki.debian.org/LTS - ----------------------------------------------------------------------- Package : tomcat8 Version : 8.5.54-0+deb9u5 CVE ID : CVE-2020-17527 It was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. For Debian 9 stretch, this problem has been fixed in version 8.5.54-0+deb9u5. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Enhance your Tomcat8 installations in Debian 9 Stretch to resolve an HTTP/2 vulnerability that could allow unintended information exposure.. Debian Stretch, Tomcat8 Update, HTTP/2 Security Fix. . LinuxSecurity.com Team

Calendar%202 Dec 16, 2020 Debian LTS
198

Arch Linux ASA-202012-4 Medium: Tomcat8 Info Disclosure Threat

The package tomcat8 before version 8.5.60-1 is vulnerable to information disclosure. . Arch Linux Security Advisory ASA-202012-4 ======================================== Severity: Medium Date : 2020-12-05 CVE-ID : CVE-2020-17527 Package : tomcat8 Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1316 Summary ====== The package tomcat8 before version 8.5.60-1 is vulnerable to information disclosure. Resolution ========= Upgrade to 8.5.60-1. # pacman -Syu "tomcat8> =8.5.60-1" The problem has been fixed upstream in version 8.5.60. Workaround ========= None. Description ========== It was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. Impact ===== A remote attacker might be able to access sensitive information via well-timed HTTP/2 requests. References ========= https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60 https://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40 https://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65 https://security.archlinux.org/CVE-2020-17527 . The Fedora Security Notice FSA-202012-3 informs users of a moderate risk information leak associated with nginx prior to 1.18.0-1.. Arch Linux, Tomcat8 Advisory, Information Disclosure Risk. . Severity: Medium. LinuxSecurity.com Team

Calendar%202 Dec 09, 2020 Medium ArchLinux
198

Arch Linux: 202006-16 Medium: Tomcat8 Denial Of Service

The package tomcat8 before version 8.5.56-1 is vulnerable to denial of service. . Arch Linux Security Advisory ASA-202006-16 ========================================= Severity: Medium Date : 2020-06-28 CVE-ID : CVE-2020-11996 Package : tomcat8 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1197 Summary ====== The package tomcat8 before version 8.5.56-1 is vulnerable to denial of service. Resolution ========= Upgrade to 8.5.56-1. # pacman -Syu "tomcat8> =8.5.56-1" The problem has been fixed upstream in version 8.5.56. Workaround ========= None. Description ========== A denial of service has been found in Apache Tomcat before 9.0.36 and 8.5.56, where a specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. Impact ===== A remote attacker might be able to cause a denial of service via a specially crafted sequence of HTTP/2 requests. References ========= https://www.openwall.com/lists/oss-security/2020/06/25/6 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36 https://github.com/apache/tomcat/commit/9a0231683a77e2957cea0fdee88b193b30b0c976 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.56 https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552 https://security.archlinux.org/CVE-2020-11996 . A security advisory for Tomcat8 on Arch Linux warns of a potential DoS vulnerability. Users should quickly apply updates using 'sudo pacman -Syu tomcat8' for protection.. Arch Linux, tomcat8, denial of service, security advisory, software update. . Severity: Medium. LinuxSecurity.com Team

Calendar%202 Jun 30, 2020 Medium ArchLinux
198

Arch Linux: ASA-202006-5 High: tomcat8 Arbitrary Code Execution

The package tomcat8 before version 8.5.55-1 is vulnerable to arbitrary code execution. . Arch Linux Security Advisory ASA-202006-5 ======================================== Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-9484 Package : tomcat8 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1170 Summary ====== The package tomcat8 before version 8.5.55-1 is vulnerable to arbitrary code execution. Resolution ========= Upgrade to 8.5.55-1. # pacman -Syu "tomcat8> =8.5.55-1" The problem has been fixed upstream in version 8.5.55. Workaround ========= None. Description ========== When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. Impact ===== A remote attacker can execute code on the affected host if they control the file content and know the path. References ========= https://lists.apache.org/thread/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1@%3Cannounce.tomcat.apache.org%3E https://security.archlinux.org/CVE-2020-9484 . Arch Linux Security Advisory ASA-202006-5 ======================================== Severity: High Da. package, tomcat8, version, vulnerable, arbitrary, execution, linux. . LinuxSecurity.com Team

Calendar%202 Jun 09, 2020 ArchLinux
197

Debian LTS: DLA-2155-1 Critical: Tomcat8 Man-In-The-Middle Attack

Tomcat8 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle . Package : tomcat8 Version : 8.0.14-1+deb8u16 CVE ID : CVE-2019-12418 Tomcat8 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. For Debian 8 "Jessie", this problem has been fixed in version 8.0.14-1+deb8u16. We recommend that you upgrade your tomcat8 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Tomcat9 security patch addresses a vulnerability in the AJP connector that could allow remote exploitation, enabling unauthorized access to the server.. Tomcat8 Security, Debian Updates, Remote Lifecycle Listener. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Mar 24, 2020 Critical Debian LTS
197

Debian: DLA-1883-1 urgent: Tomcat8 HTTP Proxy Vulnerability Advisory

Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. . Package : tomcat8 Version : 8.0.14-1+deb8u15 CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221 Debian Bug : 929895 898935 Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders' parameter to filter environment variables. CVE-2018-8014 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. CVE-2019-0221 The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. For Debian 8 "Jessie", these problems have been fixed in version 8.0.14-1+deb8u15. We recommend that you upgrade your tomcat8 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . The PostgreSQL security patch DLA-2021-3 resolves critical vulnerabilities that impact database integrity.. Tomcat8, Debian Security, Java Servlet, Maintenance Update, Web Application. .Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 13, 2019 Important Debian LTS
87

Debian: DSA-4282-1 Important: Nginx Security Vulnerability

Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4281-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Sebastien Delafond August 29, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat8 CVE ID : CVE-2018-1304 CVE-2018-1305 CVE-2018-1336 CVE-2018-8034 CVE-2018-8037 Debian Bug : 867247 Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. For the stable distribution (stretch), these problems have been fixed in version 8.5.14-1+deb9u3. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Multiple vulnerabilities in Tomcat8 have been found, posing risks of unauthorized access and DoS attacks. Upgrading tomcat8 packages on Debian is crucial. Debian Security Advisory, Tomcat8 Update, Unauthorized Access Risk. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 29, 2018 Important Debian
87

Debian: DSA-3912-1 Critical: Flaw in HTTP Request of Tomcat9

Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and JSP engine, static error pages used the original request's HTTP method to serve content, instead of systematically using the GET method. This could under certain conditions result in undesirable results, . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3891-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Sebastien Delafond June 22, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat8 CVE ID : CVE-2017-5664 Debian Bug : 864447 802312 Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and JSP engine, static error pages used the original request's HTTP method to serve content, instead of systematically using the GET method. This could under certain conditions result in undesirable results, including the replacement or removal of the custom error page. For the oldstable distribution (jessie), this problem has been fixed in version 8.0.14-1+deb8u10. For the stable distribution (stretch), this problem has been fixed in version 8.5.14-1+deb9u1. For the testing distribution (buster), this problem has been fixed in version 8.5.14-2. For the unstable distribution (sid), this problem has been fixed in version 8.5.14-2. We recommend that you upgrade your tomcat8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Apache Tomcat8 security notice DSA-3891-1 tackles improper handling of HTTP methods to thwart undesirable actions efficiently.. Tomcat8 Security, Debian Update, HTTP Fix. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jun 22, 2017 Critical Debian
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200