1 |
type: security |
2 |
subject: Updated tomcat packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2017-5647 |
5 |
- CVE-2017-5648 |
6 |
src: |
7 |
5: |
8 |
core: |
9 |
- tomcat-7.0.77-1.mga5 |
10 |
description: | |
11 |
A bug in the handling of the pipelined requests when send file was used |
12 |
resulted in the pipelined request being lost when send file processing of |
13 |
the previous request completed. This could result in responses appearing |
14 |
to be sent for the wrong request. For example, a user agent that sent |
15 |
requests A, B and C could see the correct response for request A, the |
16 |
response for request C for request B and no response for request C |
17 |
(CVE-2017-5647). |
18 |
|
19 |
While investigating bug 60718, it was noticed that some calls to |
20 |
application listeners did not use the appropriate facade object. When |
21 |
running an untrusted application under a SecurityManager, it was therefore |
22 |
possible for that untrusted application to retain a reference to the |
23 |
request or response object and thereby access and/or modify information |
24 |
associated with another web application (CVE-2017-5648). |
25 |
references: |
26 |
- https://bugs.mageia.org/show_bug.cgi?id=20655 |
27 |
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.77 |
28 |
ID: MGASA-2017-0117 |