160 lines
7.2 KiB
JSON
160 lines
7.2 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20172659",
|
|
"Version": "oval:org.altlinux.errata:def:20172659",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2017-2659: package `tomcat` update to version 8.0.46-alt1_1jpp8",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch p9"
|
|
],
|
|
"Products": [
|
|
"ALT Server",
|
|
"ALT Virtualization Server",
|
|
"ALT Workstation",
|
|
"ALT Workstation K",
|
|
"ALT Education",
|
|
"Simply Linux",
|
|
"Starterkit"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2017-2659",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2017-2659",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "BDU:2017-02035",
|
|
"RefURL": "https://bdu.fstec.ru/vul/2017-02035",
|
|
"Source": "BDU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2017-5664",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-5664",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2017-7674",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7674",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades tomcat to version 8.0.46-alt1_1jpp8. \nSecurity Fix(es):\n\n * BDU:2017-02035: Уязвимость фильтра CORS сервера приложений Apache Tomcat, позволяющая нарушителю осуществить заражение клиента и сервера при определенных обстоятельствах\n\n * CVE-2017-5664: The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.\n\n * CVE-2017-7674: The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "High",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2017-11-18"
|
|
},
|
|
"Updated": {
|
|
"Date": "2017-11-18"
|
|
},
|
|
"BDUs": [
|
|
{
|
|
"ID": "BDU:2017-02035",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
"CWE": "CWE-345",
|
|
"Href": "https://bdu.fstec.ru/vul/2017-02035",
|
|
"Impact": "Low",
|
|
"Public": "20170811"
|
|
}
|
|
],
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2017-5664",
|
|
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
|
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
|
|
"CWE": "CWE-755",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-5664",
|
|
"Impact": "High",
|
|
"Public": "20170606"
|
|
},
|
|
{
|
|
"ID": "CVE-2017-7674",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
|
|
"CWE": "CWE-345",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7674",
|
|
"Impact": "Low",
|
|
"Public": "20170811"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:kworkstation:9",
|
|
"cpe:/o:alt:workstation:9",
|
|
"cpe:/o:alt:server:9",
|
|
"cpe:/o:alt:server-v:9",
|
|
"cpe:/o:alt:education:9",
|
|
"cpe:/o:alt:slinux:9",
|
|
"cpe:/o:alt:starterkit:p9"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:1001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659001",
|
|
"Comment": "tomcat is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659002",
|
|
"Comment": "tomcat-admin-webapps is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659003",
|
|
"Comment": "tomcat-docs-webapp is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659004",
|
|
"Comment": "tomcat-el-3.0-api is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659005",
|
|
"Comment": "tomcat-javadoc is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659006",
|
|
"Comment": "tomcat-jsp-2.3-api is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659007",
|
|
"Comment": "tomcat-jsvc is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659008",
|
|
"Comment": "tomcat-lib is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659009",
|
|
"Comment": "tomcat-servlet-3.1-api is earlier than 1:8.0.46-alt1_1jpp8"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172659010",
|
|
"Comment": "tomcat-webapps is earlier than 1:8.0.46-alt1_1jpp8"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |