FEDORA-2016-38e5b05260

security update in Fedora 25 for tomcat

Status: stable 2 years ago

This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa:

  • #1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
  • #1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws

and includes two additional CVE fixes along with one bug fix:

  • #1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
  • #1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
  • #1370262 - catalina.out is no longer in use in the main package, but still gets rotated

How to install

sudo dnf upgrade --advisory=FEDORA-2016-38e5b05260

Comments 12

This update has been submitted for testing by csutherl.

This update has been pushed to testing.

csutherl edited this update.

New build(s):

  • tomcat-8.0.38-1.fc25

Removed build(s):

  • tomcat-8.0.37-3.fc25

This update has been submitted for testing by csutherl.

This update has been pushed to testing.

This update has reached 3 days in testing and can be pushed to stable now if the maintainer wishes

csutherl edited this update.

no regressions noted

karma: +1

wfm

karma: +1

This update has been submitted for stable by csutherl.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Related Bugs 5

0+1 #1370262 catalina.out is no longer in use in the main package, but still gets rotated
0+1 #1375581 CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]
0+1 #1383210 CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]
0+1 #1383216 CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]
0+1 #1390532 CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws [fedora-all]

Automated Test Results