advisories/24755.adv

type: security
subject: Updated tomcat-native packages fix security vulnerability
CVE:
 - CVE-2018-8019
 - CVE-2018-8020
src:
  6:
   core:
     - tomcat-native-1.2.18-1.mga6
description: |
  When using an OCSP responder did not correctly handle invalid responses.
  This allowed for revoked client certificates to be incorrectly identified.
  It was therefore possible for users to authenticate with revoked
  certificates when using mutual TLS (CVE-2018-8019).

  Did not properly check OCSP pre-produced responses. Revoked client
  certificates may have not been properly identified, allowing for users to
  authenticate with revoked certificates to connections that require mutual
  TLS (CVE-2018-8020).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24755
 - http://lists.suse.com/pipermail/sle-security-updates/2019-April/005314.html
ID: MGASA-2019-0184
1	type: security
2	subject: Updated tomcat-native packages fix security vulnerability
3	CVE:
4	- CVE-2018-8019
5	- CVE-2018-8020
6	src:
7	6:
8	core:
9	- tomcat-native-1.2.18-1.mga6
10	description: \|
11	When using an OCSP responder did not correctly handle invalid responses.
12	This allowed for revoked client certificates to be incorrectly identified.
13	It was therefore possible for users to authenticate with revoked
14	certificates when using mutual TLS (CVE-2018-8019).
15
16	Did not properly check OCSP pre-produced responses. Revoked client
17	certificates may have not been properly identified, allowing for users to
18	authenticate with revoked certificates to connections that require mutual
19	TLS (CVE-2018-8020).
20	references:
21	- https://bugs.mageia.org/show_bug.cgi?id=24755
22	- http://lists.suse.com/pipermail/sle-security-updates/2019-April/005314.html
23	ID: MGASA-2019-0184