| 1 |
type: security |
| 2 |
subject: Updated tomcat packages fix security vulnerability |
| 3 |
CVE: |
| 4 |
- CVE-2017-5647 |
| 5 |
- CVE-2017-5648 |
| 6 |
src: |
| 7 |
5: |
| 8 |
core: |
| 9 |
- tomcat-7.0.77-1.mga5 |
| 10 |
description: | |
| 11 |
A bug in the handling of the pipelined requests when send file was used |
| 12 |
resulted in the pipelined request being lost when send file processing of |
| 13 |
the previous request completed. This could result in responses appearing |
| 14 |
to be sent for the wrong request. For example, a user agent that sent |
| 15 |
requests A, B and C could see the correct response for request A, the |
| 16 |
response for request C for request B and no response for request C |
| 17 |
(CVE-2017-5647). |
| 18 |
|
| 19 |
While investigating bug 60718, it was noticed that some calls to |
| 20 |
application listeners did not use the appropriate facade object. When |
| 21 |
running an untrusted application under a SecurityManager, it was therefore |
| 22 |
possible for that untrusted application to retain a reference to the |
| 23 |
request or response object and thereby access and/or modify information |
| 24 |
associated with another web application (CVE-2017-5648). |
| 25 |
references: |
| 26 |
- https://bugs.mageia.org/show_bug.cgi?id=20655 |
| 27 |
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.77 |
| 28 |
ID: MGASA-2017-0117 |
Parent Directory
| 
Revision Log