Synopsis: Moderate: tomcat security, bug fix, and enhancement update
Advisory ID: SLSA-2019:2205-1
Issue Date: 2019-08-06
CVE Numbers: CVE-2018-1305
CVE-2018-1304
CVE-2018-8034
CVE-2018-8014
—
Security Fix(es):
* tomcat: Incorrect handling of empty string URL in security constraints
can lead to unintended exposure of resources (CVE-2018-1304)
* tomcat: Late application of security constraints can lead to resource
exposure for unauthorised users (CVE-2018-1305)
* tomcat: Insecure defaults in CORS filter enable ‘supportsCredentials’
for all origins (CVE-2018-8014)
* tomcat: Host name verification missing in WebSocket client
(CVE-2018-8034)
—
SL7
x86_64
tomcat-7.0.76-9.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm
tomcat-lib-7.0.76-9.el7.noarch.rpm
tomcat-webapps-7.0.76-9.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm
tomcat-javadoc-7.0.76-9.el7.noarch.rpm
tomcat-jsvc-7.0.76-9.el7.noarch.rpm
noarch
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm
tomcat-7.0.76-9.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm
tomcat-javadoc-7.0.76-9.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm
tomcat-jsvc-7.0.76-9.el7.noarch.rpm
tomcat-lib-7.0.76-9.el7.noarch.rpm
tomcat-webapps-7.0.76-9.el7.noarch.rpm
– Scientific Linux Development Team
