Oval Definition:oval:com.redhat.rhsa:def:20192205
Revision Date:2019-08-06Version:638
Title:RHSA-2019:2205: tomcat security, bug fix, and enhancement update (Moderate)
Description:Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

  • tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)

  • tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)

  • tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)

  • tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2018-1304
    CVE-2018-1305
    CVE-2018-8014
    CVE-2018-8034
    RHSA-2019:2205
    Platform(s):Red Hat Enterprise Linux 7
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 7 is installed
  • AND
  • tomcat is earlier than 0:7.0.76-9.el7
  • AND tomcat is signed with Red Hat redhatrelease2 key
  • tomcat-admin-webapps is earlier than 0:7.0.76-9.el7
  • AND tomcat-admin-webapps is signed with Red Hat redhatrelease2 key
  • tomcat-docs-webapp is earlier than 0:7.0.76-9.el7
  • AND tomcat-docs-webapp is signed with Red Hat redhatrelease2 key
  • tomcat-el-2.2-api is earlier than 0:7.0.76-9.el7
  • AND tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key
  • tomcat-javadoc is earlier than 0:7.0.76-9.el7
  • AND tomcat-javadoc is signed with Red Hat redhatrelease2 key
  • tomcat-jsp-2.2-api is earlier than 0:7.0.76-9.el7
  • AND tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key
  • tomcat-jsvc is earlier than 0:7.0.76-9.el7
  • AND tomcat-jsvc is signed with Red Hat redhatrelease2 key
  • tomcat-lib is earlier than 0:7.0.76-9.el7
  • AND tomcat-lib is signed with Red Hat redhatrelease2 key
  • tomcat-servlet-3.0-api is earlier than 0:7.0.76-9.el7
  • AND tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key
  • tomcat-webapps is earlier than 0:7.0.76-9.el7
  • AND tomcat-webapps is signed with Red Hat redhatrelease2 key
    • BACK