Mageia alert MGASA-2017-0352 (tomcat)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2017-0352: Updated tomcat packages fix security vulnerability 
Date:
    	     
 
Thu, 21 Sep 2017 15:44:13 +0200
Message-ID:
    	     
 
<20170921134413.CE5309F88E@duvel.mageia.org>
MGASA-2017-0352 - Updated tomcat packages fix security vulnerability

Publication date: 21 Sep 2017
URL: https://advisories.mageia.org/MGASA-2017-0352.html
Type: security
Affected Mageia releases: 5, 6
CVE: CVE-2017-7674,
     CVE-2017-12616

Description:
The CORS Filter did not add an HTTP Vary header indicating that the
response varies depending on Origin. This permitted client and server
side cache poisoning in some circumstances (CVE-2017-7674).

When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resources served
by the VirtualDirContext using a specially crafted request
(CVE-2017-12616).

Note that CVE-2017-12616 only affected tomcat 7 in Mageia 5.

References:
- https://bugs.mageia.org/show_bug.cgi?id=21714
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache...
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache...
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache...
-
https://lists.fedoraproject.org/archives/list/package-ann...
- http://openwall.com/lists/oss-security/2017/09/19/2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1...

SRPMS:
- 6/core/tomcat-8.0.46-1.mga6
- 5/core/tomcat-7.0.81-1.mga5