tomcat-9.0.62-27.el8_9.3

エラータID: AXSA:2024-7490:04

Release date: 
Wednesday, January 31, 2024 - 14:47
Subject: 
tomcat-9.0.62-27.el8_9.3
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-46589
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Solution: 

Update packages.

CVEs: 
CVE-2023-46589
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat-9.0.62-27.el8_9.3.src.rpm
    MD5: ea70590b894c90589bb73162bfc6b3e3
    SHA-256: afdb904d9e0b5883ba6746731fadf232896a76aa2cef87546324102e1d9e26c7
    Size: 14.55 MB

Asianux Server 8 for x86_64
  1. tomcat-9.0.62-27.el8_9.3.noarch.rpm
    MD5: cfa2b2e7b613269670fa112814c5daf2
    SHA-256: 08fd9a599e61d9de0701491b8bfaae3929c38960322c8f8d326558c343d30c4d
    Size: 90.70 kB
  2. tomcat-admin-webapps-9.0.62-27.el8_9.3.noarch.rpm
    MD5: 86b40888468687b8fa014af518331ee4
    SHA-256: 4441e0776e358a27f1a6119e043ca03233b79d17599c9610cb679543c0a2c2b1
    Size: 72.39 kB
  3. tomcat-docs-webapp-9.0.62-27.el8_9.3.noarch.rpm
    MD5: e5c6cec6b20045e218d881d8383c02bb
    SHA-256: acb07fa2b1b5e3783cd3527e5c5acdeac834d21d414d0272e750dded0abcfaf6
    Size: 728.71 kB
  4. tomcat-el-3.0-api-9.0.62-27.el8_9.3.noarch.rpm
    MD5: a39ddc204a21987f65e9e0af02039642
    SHA-256: a6dcc74a74c7d3990f920621351364aaf14e9376b41ced64a0287d8303e12c68
    Size: 105.55 kB
  5. tomcat-jsp-2.3-api-9.0.62-27.el8_9.3.noarch.rpm
    MD5: 92f8ca28a96f120571fc17bb77c9db71
    SHA-256: 6480b5b8920a42d01fceb5742338811c2838eb41f73e00e953d86cbde8617433
    Size: 64.44 kB
  6. tomcat-lib-9.0.62-27.el8_9.3.noarch.rpm
    MD5: ca496fc90f2dd78f01069d07d6e3dd30
    SHA-256: 1a38780f1c734e2fc3c82448402424b5289eb59a5845440fe4c32f1ce616082b
    Size: 5.90 MB
  7. tomcat-servlet-4.0-api-9.0.62-27.el8_9.3.noarch.rpm
    MD5: cff794c4dd1f3f1aeda4e1bed94f4af9
    SHA-256: 1f7f4f40ca001ae5bafe49c26ab22cb1eda79d6863fbede218cfe418c1d9f59b
    Size: 285.49 kB
  8. tomcat-webapps-9.0.62-27.el8_9.3.noarch.rpm
    MD5: a3f8e66ee5daaf2446d45f0defbcb686
    SHA-256: dbfb26d1c30f1142f1e08a24fdd3634a2c9dcd0e08aaa70d70375789a8c3e0f4
    Size: 79.81 kB