|
|
Subscribe / Log in / New account

Mageia alert MGASA-2016-0312 (tomcat)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2016-0312: Updated tomcat packages fix security vulnerability 


Date:
    	      Wed, 21 Sep 2016 22:38:57 +0200


Message-ID:
    	      <20160921203857.83E059F776@duvel.mageia.org>


MGASA-2016-0312 - Updated tomcat packages fix security vulnerability

Publication date: 21 Sep 2016
URL: http://advisories.mageia.org/MGASA-2016-0312.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-5388

Description:
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC
3875 section 4.1.18 and therefore does not protect applications from the
presence of untrusted client data in the HTTP_PROXY environment variable,
which might allow remote attackers to redirect an application's outbound
HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an
HTTP request, aka an "httpoxy" issue (CVE-2016-5388).

References:
- https://bugs.mageia.org/show_bug.cgi?id=19306
- http://lists.opensuse.org/opensuse-updates/2016-09/msg000...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388

SRPMS:
- 5/core/tomcat-7.0.68-1.3.mga5
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds