tomcat-7.0.76-2.el7

エラータID: AXSA:2017-1908:03

リリース日: 
2017/08/28 Monday - 04:39
題名: 
tomcat-7.0.76-2.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Low
Description: 

Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

CVE-2016-0762
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to
9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and
6.0.0 to 6.0.45 did not process the supplied password if the supplied
user name did not exist. This made a timing attack possible to
determine valid user names. Note that the default configuration
includes the LockOutRealm which makes exploitation of this
vulnerability harder.
CVE-2016-5018
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to
8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web
application was able to bypass a configured SecurityManager via a
Tomcat utility method that was accessible to web applications.
CVE-2016-6794
When a SecurityManager is configured, a web application's ability to
read system properties should be controlled by the SecurityManager. In
Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to
8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property
replacement feature for configuration files could be used by a
malicious web application to bypass the SecurityManager and read
system properties that should not be visible.
CVE-2016-6796
A malicious web application running on Apache Tomcat 9.0.0.M1 to
9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and
6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via
manipulation of the configuration parameters for the JSP Servlet.
CVE-2016-6797
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to
9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and
6.0.0 to 6.0.45 did not limit web application access to global JNDI
resources to those resources explicitly linked to the web application.
Therefore, it was possible for a web application to access any global
JNDI resource whether an explicit ResourceLink had been configured or
not.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. tomcat-7.0.76-2.el7.src.rpm
    MD5: f69509cc6e98c0fe665486ff16cefd94
    SHA-256: 41403b91fdc4e30e895c6c2c4571a411960418368427c3cfd3a29f116e984e7a
    Size: 4.57 MB

Asianux Server 7 for x86_64
  1. tomcat-7.0.76-2.el7.noarch.rpm
    MD5: d508c9e336020c73ad61aead42a2b9a1
    SHA-256: 673527df97fe7155da65c1a04d85e7a0776aa5dbe8db073a540918ac02685c37
    Size: 88.75 kB
  2. tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm
    MD5: e4a41a94c04a3fb787d99394707a2599
    SHA-256: aebf030d721ce73b0b4e7859803b569ebe1878d736b9fe696eeb0ce7d2dd1b35
    Size: 37.20 kB
  3. tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm
    MD5: a4e5cd6dad37962a35e13e11652024d1
    SHA-256: 0a4be1035775b555c50aba6ce02553464e3e943736309af7b8f6ee75c832d4fa
    Size: 78.45 kB
  4. tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm
    MD5: 29762e16e553f46b0e14455385c03d1e
    SHA-256: a72260bf842b8eae1873e2865d9667f7aabfbf25db90e5bae330c5031ba95439
    Size: 92.17 kB
  5. tomcat-lib-7.0.76-2.el7.noarch.rpm
    MD5: 1f25b0d16515a5f0f59ed0a14d370d96
    SHA-256: 760ef852e6b32a7039b4c485371f3306d2d69069bfbe65ff801a416a666d6f52
    Size: 3.85 MB
  6. tomcat-servlet-3.0-api-7.0.76-2.el7.noarch.rpm
    MD5: a1a4063918213144f6a1de6f61e4cc7d
    SHA-256: dd0fb8740842a81622ee52f47c2e057671356285f5c617730976f09af23548aa
    Size: 209.54 kB
  7. tomcat-webapps-7.0.76-2.el7.noarch.rpm
    MD5: a2081ff1689ea5913bb3d31b1d334041
    SHA-256: 0426508d57ca2a63d043054bb5eaf5f4aba82701261076e5ce008536f99f04ad
    Size: 338.07 kB