tomcat-7.0.69-12.el7

エラータID: AXSA:2017-1748:02

Release date: 
Thursday, July 27, 2017 - 12:54
Subject: 
tomcat-7.0.69-12.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

Security issues fixed with this release:

CVE-2017-5648
While investigating bug 60718, it was noticed that some calls to
application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to
8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the
appropriate facade object. When running an untrusted application under
a SecurityManager, it was therefore possible for that untrusted
application to retain a reference to the request or response object
and thereby access and/or modify information associated with another
web application.
CVE-2017-5664
The error page mechanism of the Java Servlet Specification requires
that, when an error occurs and an error page is configured for the
error that occurred, the original request and response are forwarded
to the error page. This means that the request is presented to the
error page with the original HTTP method. If the error page is a
static file, expected behaviour is to serve content of the file as if
processing a GET request, regardless of the actual HTTP method. The
Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to
8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this.
Depending on the original request this could lead to unexpected and
undesirable results for static error pages including, if the
DefaultServlet is configured to permit writes, the replacement or
removal of the custom error page. Notes for other user provided error
pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP
method. JSPs used as error pages must must ensure that they handle
any error dispatch as a GET request, regardless of the actual method.
(2) By default, the response generated by a Servlet does depend on
the HTTP method. Custom Servlets used as error pages must ensure
that they handle any error dispatch as a GET request, regardless of
the actual method.

Solution: 

Update packages.

CVEs: 
CVE-2017-5648
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
CVE-2017-5664
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat-7.0.69-12.el7.src.rpm
    MD5: dcd7806def3081302d680dc6f5d1c2c4
    SHA-256: 949056c260cc04dd6c0b16026e4dba4dba49b3a69b6e149802954c143d4a933a
    Size: 4.57 MB

Asianux Server 7 for x86_64
  1. tomcat-7.0.69-12.el7.noarch.rpm
    MD5: a5843a3114e3085f0971797398acba02
    SHA-256: d32609c38fb5caaa34ed1d3fc9feb6c25c26a6839dd08c344af90916b2c3519d
    Size: 88.33 kB
  2. tomcat-admin-webapps-7.0.69-12.el7.noarch.rpm
    MD5: 6bbd23656d0b66f2498b50aab3a97796
    SHA-256: 1db6a8b60e482542123ff6357c216554000578b95af8ea574b5c1f30cfa536d7
    Size: 40.51 kB
  3. tomcat-el-2.2-api-7.0.69-12.el7.noarch.rpm
    MD5: c804d558d1d684a87420f493f2ea7bb5
    SHA-256: ecb08b9461cc563df4f6b5a8544f6d392fed7721dfa545d21fe0d2191ac004cc
    Size: 78.75 kB
  4. tomcat-jsp-2.2-api-7.0.69-12.el7.noarch.rpm
    MD5: 304c3017a545044aac041a37f7704f82
    SHA-256: 6a1782b5e66e4e230047bc02e6fdc3925edf592f9d38d457a5cae865b9b6f07e
    Size: 92.47 kB
  5. tomcat-lib-7.0.69-12.el7.noarch.rpm
    MD5: c9bd344620069df5223b98e90f291413
    SHA-256: 3c6528e5873d524773057f32b430f4c85d6ec0cc605e6b58368aa605dd2eaf02
    Size: 3.83 MB
  6. tomcat-servlet-3.0-api-7.0.69-12.el7.noarch.rpm
    MD5: 0b8ed4de6be85d233e389eb376c2cfa7
    SHA-256: e768b4209d5c164823a8d38233f9cd7f0c8c2da5657d382e98388f6956169619
    Size: 209.85 kB
  7. tomcat-webapps-7.0.69-12.el7.noarch.rpm
    MD5: e46c433cb7b195025d33dc168d603e27
    SHA-256: b8073b75a98a20a122662df1f2a5d72ce868064e74cf8090d93174df84de3cdd
    Size: 356.18 kB