Advisories ยป MGASA-2023-0138

Updated tomcat packages fix security vulnerability

Publication date: 15 Apr 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-43980 , CVE-2022-23181 , CVE-2022-29885 , CVE-2022-34305 , CVE-2022-42252 , CVE-2022-45143 , CVE-2023-24998 , CVE-2023-28708

Description

Information disclosure due to concurrency bug (CVE-2021-43980)
Fix for CVE-2020-9484 introduced a time of check, time of use
vulnerability (CVE-2022-23181)
Correct documentation to warn of use over untrusted networks.
(CVE-2022-29885)
Correct documentation showing use of XSS vulnerability. (CVE-2022-34305)
Fix to reject invalid Content-Length header (CVE-2022-42252)
Fix escaping of the type, message or description values. (CVE-2022-45143)
Fix FileUpload limiting of the number of request parts to be processed
to prevent the possibility of an attacker triggering a DoS (CVE-2023-24998)
Fix setting of session cookie secure attribute when using RemoteIpFilter
with X-Forwarded-Proto header set to https (CVE-2023-28708)
Obsolete tomcat-jsvc
                

References

SRPMS

8/core