Bug 1540828 (CVE-2017-15706)
Summary: | CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | alee, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, darran.lofthouse, dedgar, dimitris, dmcphers, dmoppert, dosoudil, drieden, fgavrilo, gzaronik, hchiorea, hhorak, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jgoulding, jolee, jondruse, jorton, jschatte, jshepherd, jstastny, krzysztof.daniel, lgao, mbabacek, mizdebsk, myarboro, nwallace, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, twalsh, vhalbert, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tomcat 9.0.2, tomcat 8.5.24, tomcat 8.0.48, tomcat 7.0.84 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:39:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1540830, 1541080, 1541081, 1541082 | ||
Bug Blocks: | 1540831 |
Description
Sam Fowler
2018-02-01 05:41:40 UTC
Upstream indicates that the problematic documentation was introduced as part of the fix for the following upstream bug report: https://bz.apache.org/bugzilla/show_bug.cgi?id=61201 Matching commit is: http://svn.apache.org/viewvc?view=revision&revision=1799368 Upstream commits correcting the documentation (for various supported branches): http://svn.apache.org/viewvc?view=rev&rev=1814825 9.x http://svn.apache.org/viewvc?view=rev&rev=1814827 8.x http://svn.apache.org/viewvc?view=rev&rev=1814828 7.x As the relevant part of the documentation was only recently introduced upstream, it is not yet included in the Tomcat packages as shipped in Red Hat Enterprise Linux. External References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.2 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.84 Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1541082] Affects: fedora-all [bug 1541081] |