Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2019-2205

Опубликовано: 13 авг. 2019
Источник: oracle-oval
Платформа: Oracle Linux 7

Описание

ELSA-2019-2205: tomcat security, bug fix, and enhancement update (MODERATE)

[0:7.0.76-9]

  • Resolves: rhbz#1641873 CVE-2018-11784 tomcat: Open redirect in default servlet
  • Resolves: rhbz#1552375 CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended expo sure of resources
  • Resolves: rhbz#1552374 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised us ers
  • Resolves: rhbz#1590182 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
  • Resolves: rhbz#1608609 CVE-2018-8034 tomcat: host name verification missing in WebSocket client
  • Resolves: rhbz#1588703 Backport of Negative maxCookieCount value causes exception for Tomcat
  • Resolves: rhbz#1472950 shutdown_wait option is not working for Tomcat
  • Resolves: rhbz#1455483 Add support for characters < and > to the possible whitelist values

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

tomcat

7.0.76-9.el7

tomcat-admin-webapps

7.0.76-9.el7

tomcat-docs-webapp

7.0.76-9.el7

tomcat-el-2.2-api

7.0.76-9.el7

tomcat-javadoc

7.0.76-9.el7

tomcat-jsp-2.2-api

7.0.76-9.el7

tomcat-jsvc

7.0.76-9.el7

tomcat-lib

7.0.76-9.el7

tomcat-servlet-3.0-api

7.0.76-9.el7

tomcat-webapps

7.0.76-9.el7

Oracle Linux x86_64

tomcat

7.0.76-9.el7

tomcat-admin-webapps

7.0.76-9.el7

tomcat-docs-webapp

7.0.76-9.el7

tomcat-el-2.2-api

7.0.76-9.el7

tomcat-javadoc

7.0.76-9.el7

tomcat-jsp-2.2-api

7.0.76-9.el7

tomcat-jsvc

7.0.76-9.el7

tomcat-lib

7.0.76-9.el7

tomcat-servlet-3.0-api

7.0.76-9.el7

tomcat-webapps

7.0.76-9.el7

Связанные CVE

CVE-2018-1305
CVE-2018-8034
CVE-2018-1304
CVE-2018-8014

Ссылки на источники

Связанные уязвимости

suse-cvrf логотип

SUSE-SU-2018:3261-1

suse-cvrf
больше 6 лет назад

Security update for tomcat

suse-cvrf логотип

SUSE-SU-2018:3388-1

suse-cvrf
больше 6 лет назад

Security update for tomcat

suse-cvrf логотип

openSUSE-SU-2018:0852-1

suse-cvrf
около 7 лет назад

Security update for tomcat

suse-cvrf логотип

SUSE-SU-2018:0817-1

suse-cvrf
около 7 лет назад

Security update for tomcat

ubuntu логотип

CVE-2018-1305

CVSS3: 6.5
ubuntu
больше 7 лет назад

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.