Описание
ELSA-2023-7065: tomcat security and bug fix update (MODERATE)
[1:9.0.62-27]
- Related: RHEL-12543
- Bump release number
[1:9.0.62-16]
- Resolves: RHEL-12543 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
- Remove JDK subpackges which are unused
[1:9.0.62-14]
- Related: RHEL-2330 Bump release number
[1:9.0.62-13]
- Resolves: RHEL-2330 Revert the fix for pki-servlet-engine
[1:9.0.62-12]
- Related: #2184135 Declare file conflicts
[1:9.0.62-11]
- Resolves: #2184135 Fix bug introduced in initial commit
[1:9.0.62-10]
- Resolves: #2210630 CVE-2023-28709 tomcat
- Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
[1:9.0.62-9]
- Resolves: #2184135 Add Obsoletes to tomcat package
[1:9.0.62-8]
- Resolves: #2189676 Missing Tomcat POM files in RHEL 8.9
[1:9.0.62-7]
- Related: #2173874 Tomcat installs older java even though newer java is installed
- Bump release number
[1:9.0.62-6]
- Resolves: #2173874 Tomcat installs older java even though newer java is installed
- Sync with rhel-8.8.0 branch
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
tomcat
9.0.62-27.el8_9
tomcat-admin-webapps
9.0.62-27.el8_9
tomcat-docs-webapp
9.0.62-27.el8_9
tomcat-el-3.0-api
9.0.62-27.el8_9
tomcat-jsp-2.3-api
9.0.62-27.el8_9
tomcat-lib
9.0.62-27.el8_9
tomcat-servlet-4.0-api
9.0.62-27.el8_9
tomcat-webapps
9.0.62-27.el8_9
Oracle Linux x86_64
tomcat
9.0.62-27.el8_9
tomcat-admin-webapps
9.0.62-27.el8_9
tomcat-docs-webapp
9.0.62-27.el8_9
tomcat-el-3.0-api
9.0.62-27.el8_9
tomcat-jsp-2.3-api
9.0.62-27.el8_9
tomcat-lib
9.0.62-27.el8_9
tomcat-servlet-4.0-api
9.0.62-27.el8_9
tomcat-webapps
9.0.62-27.el8_9
Связанные CVE
Связанные уязвимости
ELSA-2023-6570: tomcat security and bug fix update (MODERATE)
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.