You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa tomcat

Sigurnosni nedostatak programskog paketa tomcat

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Low: tomcat security update
Advisory ID: RHSA-2020:5020-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5020
Issue date: 2020-11-10
CVE Names: CVE-2020-1935
=====================================================================

1. Summary:

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) – noarch
Red Hat Enterprise Linux Client Optional (v. 7) – noarch
Red Hat Enterprise Linux ComputeNode (v. 7) – noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) – noarch
Red Hat Enterprise Linux Server (v. 7) – noarch
Red Hat Enterprise Linux Server Optional (v. 7) – noarch
Red Hat Enterprise Linux Workstation (v. 7) – noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) – noarch

3. Description:

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

Security Fix(es):

* tomcat: Mishandling of Transfer-Encoding header allows for HTTP request
smuggling (CVE-2020-1935)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1806835 – CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
tomcat-7.0.76-16.el7_9.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.76-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
tomcat-7.0.76-16.el7_9.noarch.rpm
tomcat-admin-webapps-7.0.76-16.el7_9.noarch.rpm
tomcat-docs-webapp-7.0.76-16.el7_9.noarch.rpm
tomcat-el-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-javadoc-7.0.76-16.el7_9.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-jsvc-7.0.76-16.el7_9.noarch.rpm
tomcat-lib-7.0.76-16.el7_9.noarch.rpm
tomcat-webapps-7.0.76-16.el7_9.noarch.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
tomcat-7.0.76-16.el7_9.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.76-16.el7_9.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
tomcat-7.0.76-16.el7_9.noarch.rpm
tomcat-admin-webapps-7.0.76-16.el7_9.noarch.rpm
tomcat-docs-webapp-7.0.76-16.el7_9.noarch.rpm
tomcat-el-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-javadoc-7.0.76-16.el7_9.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-jsvc-7.0.76-16.el7_9.noarch.rpm
tomcat-lib-7.0.76-16.el7_9.noarch.rpm
tomcat-webapps-7.0.76-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
tomcat-7.0.76-16.el7_9.src.rpm

noarch:
tomcat-7.0.76-16.el7_9.noarch.rpm
tomcat-admin-webapps-7.0.76-16.el7_9.noarch.rpm
tomcat-el-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-lib-7.0.76-16.el7_9.noarch.rpm
tomcat-servlet-3.0-api-7.0.76-16.el7_9.noarch.rpm
tomcat-webapps-7.0.76-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
tomcat-7.0.76-16.el7_9.noarch.rpm
tomcat-admin-webapps-7.0.76-16.el7_9.noarch.rpm
tomcat-docs-webapp-7.0.76-16.el7_9.noarch.rpm
tomcat-el-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-javadoc-7.0.76-16.el7_9.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-jsvc-7.0.76-16.el7_9.noarch.rpm
tomcat-lib-7.0.76-16.el7_9.noarch.rpm
tomcat-webapps-7.0.76-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
tomcat-7.0.76-16.el7_9.src.rpm

noarch:
tomcat-7.0.76-16.el7_9.noarch.rpm
tomcat-admin-webapps-7.0.76-16.el7_9.noarch.rpm
tomcat-el-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-16.el7_9.noarch.rpm
tomcat-lib-7.0.76-16.el7_9.noarch.rpm
tomcat-servlet-3.0-api-7.0.76-16.el7_9.noarch.rpm
tomcat-webapps-7.0.76-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
tomcat-docs-webapp-7.0.76-16.el7_9.noarch.rpm
tomcat-javadoc-7.0.76-16.el7_9.noarch.rpm
tomcat-jsvc-7.0.76-16.el7_9.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-1935
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX6qTr9zjgjWX9erEAQhhYg//Q7HmUDMmaL9edvSXdRbmyOcPC2D83/1t
HXp6cZkRUdgtKp4f07QGGDl/7FQMhwK921KQILVIjV+sgGvQCziVv5fXih0w8v1S
mFo0cLbJQujeBkRymNUctbgwsjtR2NzH3/3Y/BcAE4ohrJApcdFvKbsa78+Pb+u+
NkqwjeA25yU3uO55SAu54qyU5PwK5AzrtTupnJoP9VRUh+TiQgdcJK+grd/09Vhh
lMwR0s/45s/OTz+ezYTKVSZCz0CJvYvkyeLkAa9dZnf2HztAAitGVnSKJ6qOUwUw
b9ZJfxoQeJlL3ZLO9TDpxC1wuk/AVK9Bl1psZeoEyqPvb8zgX/3sb8rDxHWEHBho
aUrDTBUQZXPxE1h8zsrZkAODO9hj0eLVWEn2ko8OmmRyqiFib04mgHVcMbG2IdXj
vm1IZsytsNWycSYp1XUAiijeRbWD7k7v7g6HZCrRZqwUWSqAvHB3GpQYAGurvrFu
1eJrBW97VO43Eef5h7Zg9DaDkU7bp3jAg5I6WJon0A3Zp4YdlX5ofAKmND+x2cx1
s90pk+XrcN+uOi4sGXcjwEcZczGSDsA6cCMsrisBGoN//MvbUCvLYjxmX0U6Ozg1
Kv2vaqppdLFF8gsyHDX+7DIvPcb+xshuXuBGvi2xU8WQwTFCh2FW0L5gNWstZE0i
4N66CLNh08o=
=JjOC
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke libexif

Otkriven je sigurnosni nedostatak programske biblioteke libexif za operacijski sustav Ubuntu. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog koda....

Close