MGASA-2016-0417

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0417.html

Import Source

https://advisories.mageia.org/MGASA-2016-0417.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2016-0417

Related

Published

2016-12-11T22:44:05Z

Modified

2016-12-11T22:34:01Z

Summary

Updated tomcat package fixes security vulnerabilities

Details

The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own (CVE-2016-6816).

The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used (CVE-2016-8735).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / tomcat

Package

Name: tomcat
Purl: pkg:rpm/mageia/tomcat?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.73-1.mga5

Ecosystem specific

{
    "section": "core"
}