Scientific Linux alert SLSA-2017:1809-1 (tomcat)

From:
    	     
 
Pat Riehecky <riehecky@fnal.gov> 
To:
    	     
 
<scientific-linux-errata@listserv.fnal.gov> 
Subject:
    	     
 
Security ERRATA Important: tomcat on SL7.x (noarch) 
Date:
    	     
 
Thu, 27 Jul 2017 13:56:49 +0000
Message-ID:
    	     
 
<20170727135649.29903.17576@slpackages.fnal.gov>
Synopsis:          Important: tomcat security update
Advisory ID:       SLSA-2017:1809-1
Issue Date:        2017-07-27
CVE Numbers:       CVE-2017-5648
                   CVE-2017-5664
--

Security Fix(es):

* A vulnerability was discovered in the error page mechanism in Tomcat's
DefaultServlet implementation. A crafted HTTP request could cause
undesired side effects, possibly including the removal or replacement of
the custom error page. (CVE-2017-5664)

* A vulnerability was discovered in Tomcat. When running an untrusted
application under a SecurityManager it was possible, under some
circumstances, for that application to retain references to the request or
response objects and thereby access and/or modify information associated
with another web application. (CVE-2017-5648)
--

SL7
  noarch
    tomcat-servlet-3.0-api-7.0.69-12.el7_3.noarch.rpm
    tomcat-7.0.69-12.el7_3.noarch.rpm
    tomcat-admin-webapps-7.0.69-12.el7_3.noarch.rpm
    tomcat-docs-webapp-7.0.69-12.el7_3.noarch.rpm
    tomcat-el-2.2-api-7.0.69-12.el7_3.noarch.rpm
    tomcat-javadoc-7.0.69-12.el7_3.noarch.rpm
    tomcat-jsp-2.2-api-7.0.69-12.el7_3.noarch.rpm
    tomcat-jsvc-7.0.69-12.el7_3.noarch.rpm
    tomcat-lib-7.0.69-12.el7_3.noarch.rpm
    tomcat-webapps-7.0.69-12.el7_3.noarch.rpm

- Scientific Linux Development Team