Advisories ยป MGASA-2014-0149

Updated tomcat package fixes security vulnerabilities

Publication date: 03 Apr 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2013-4286 , CVE-2013-4322 , CVE-2013-4590


Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without
properly handling (1) a large total amount of chunked data or (2)
whitespace characters in an HTTP header value within a trailer field,
which allows remote attackers to cause a denial of service by streaming
data  (CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat
internals" information by leveraging the presence of an untrusted web
application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML
document containing an external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue