MGASA-2017-0352
- Source
- https://advisories.mageia.org/MGASA-2017-0352.html
- Import Source
- https://advisories.mageia.org/MGASA-2017-0352.json
- JSON Data
- https://api.osv.dev/v1/vulns/MGASA-2017-0352
- Related
- Published
- 2017-09-21T13:43:32Z
- Modified
- 2017-09-21T13:08:24Z
- Summary
- Updated tomcat packages fix security vulnerability
- Details
-
The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances (CVE-2017-7674).
When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request (CVE-2017-12616).
Note that CVE-2017-12616 only affected tomcat 7 in Mageia 5.
- References
-
- https://advisories.mageia.org/MGASA-2017-0352.html
- https://bugs.mageia.org/show_bug.cgi?id=21714
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/
- http://openwall.com/lists/oss-security/2017/09/19/2
- Credits
-
-
- Mageia - COORDINATOR
-
Affected packages
Mageia:6 / tomcat
Package
- Name
- tomcat
- Purl
- pkg:rpm/mageia/tomcat?distro=mageia-6
Mageia:5 / tomcat
Package
- Name
- tomcat
- Purl
- pkg:rpm/mageia/tomcat?distro=mageia-5