Flaw affecting tomcat 8.0.0.RC1 to 8.0.51 and 9.0.0.M1 to 9.0.7. An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Upstream patch: http://svn.apache.org/viewvc?view=rev&rev=1830375 http://svn.apache.org/viewvc?view=rev&rev=1830373 References: https://tomcat.apache.org/security-8.html https://tomcat.apache.org/security-9.html
Statement: Fuse 6.3 and 7 standalone distributions ship but do not use tomcat, and as such are not affected by this flaw; however, Fuse Integration Services 2.0 and Fuse 7 on OpenShift provide the affected artifacts via their respective maven repositories, and will provide fixes for this issue in a future release.
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1624931] Affects: fedora-all [bug 1624929]
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:2700 https://access.redhat.com/errata/RHSA-2018:2700
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2018:2701 https://access.redhat.com/errata/RHSA-2018:2701
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2921 https://access.redhat.com/errata/RHSA-2018:2921
This issue has been addressed in the following products: Red Hat JBoss Operations Network Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930
This issue has been addressed in the following products: Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8 Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes (text-only advisories) Via RHSA-2018:2945 https://access.redhat.com/errata/RHSA-2018:2945
Oops https://bugzilla.redhat.com/show_bug.cgi?id=1608656 it was fixed in 6.4.21
This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768