Synopsis: Moderate: tomcat security, bug fix, and enhancement update
Advisory ID:       SLSA-2019:2205-1
Issue Date:        2019-08-06
CVE Numbers:       CVE-2018-1305
                   CVE-2018-1304
                   CVE-2018-8034
                   CVE-2018-8014
--

Security Fix(es):

* tomcat: Incorrect handling of empty string URL in security constraints
can lead to unintended exposure of resources (CVE-2018-1304)

* tomcat: Late application of security constraints can lead to resource
exposure for unauthorised users (CVE-2018-1305)

* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials'
for all origins (CVE-2018-8014)

* tomcat: Host name verification missing in WebSocket client
(CVE-2018-8034)
--

SL7
  x86_64
    tomcat-7.0.76-9.el7.noarch.rpm
    tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm
    tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm
    tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm
    tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm
    tomcat-lib-7.0.76-9.el7.noarch.rpm
    tomcat-webapps-7.0.76-9.el7.noarch.rpm
    tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm
    tomcat-javadoc-7.0.76-9.el7.noarch.rpm
    tomcat-jsvc-7.0.76-9.el7.noarch.rpm
  noarch
    tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm
    tomcat-7.0.76-9.el7.noarch.rpm
    tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm
    tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm
    tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm
    tomcat-javadoc-7.0.76-9.el7.noarch.rpm
    tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm
    tomcat-jsvc-7.0.76-9.el7.noarch.rpm
    tomcat-lib-7.0.76-9.el7.noarch.rpm
    tomcat-webapps-7.0.76-9.el7.noarch.rpm

- Scientific Linux Development Team