Mageia alert MGASA-2018-0150 (tomcat-native)

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2018-0150: Updated tomcat-native package fixes security vulnerability 
Date:
    	       Wed, 28 Feb 2018 14:56:07 +0100
Message-ID:
    	       <20180228135607.898329F752@duvel.mageia.org>
MGASA-2018-0150 - Updated tomcat-native package fixes security vulnerability

Publication date: 28 Feb 2018
URL: https://advisories.mageia.org/MGASA-2018-0150.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2017-15698

Description:
When parsing the AIA-Extension field of a client certificate, Apache
Tomcat Native did not correctly handle fields longer than 127 bytes. The
result of the parsing error was to skip the OCSP check. It was therefore
possible for client certificates that should have been rejected (if the
OCSP check had been made) to be accepted. Users not using OCSP checks
are not affected by this vulnerability (CVE-2017-15698).

References:
- https://bugs.mageia.org/show_bug.cgi?id=22568
-
https://lists.fedoraproject.org/archives/list/package-ann...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1...

SRPMS:
- 6/core/tomcat-native-1.2.16-1.mga6

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2018-0150: Updated tomcat-native package fixes security vulnerability
Date:		Wed, 28 Feb 2018 14:56:07 +0100
Message-ID:		<20180228135607.898329F752@duvel.mageia.org>