Advisories » MGASA-2014-0149

Updated tomcat package fixes security vulnerabilities

Publication date: 03 Apr 2014
Modification date: 03 Apr 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2013-4286 , CVE-2013-4322 , CVE-2013-4590

Description

Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without
properly handling (1) a large total amount of chunked data or (2)
whitespace characters in an HTTP header value within a trailer field,
which allows remote attackers to cause a denial of service by streaming
data  (CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain "Tomcat
internals" information by leveraging the presence of an untrusted web
application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML
document containing an external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue
(CVE-2013-4590).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=12955
• http://tomcat.apache.org/security-7.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590

SRPMS

4/core

• tomcat-7.0.52-1.mga4