{"id":"MGASA-2018-0479","summary":"Updated tomcat packages fix security vulnerabilities","details":"An improper handing of overflow in the UTF-8 decoder with supplementary\ncharacters can lead to an infinite loop in the decoder causing a Denial\nof Service (CVE-2018-1336).\n\nThe defaults settings for the CORS filter are insecure and enable\nsupportsCredentials for all origins. It is expected that users of the\nCORS filter will have configured it appropriately for their environment\nrather than using it in the default configuration. Therefore, it is\nexpected that most users will not be impacted by this issue\n(CVE-2018-8014).\n\nThe host name verification when using TLS with the WebSocket client was\nmissing. It is now enabled by default (CVE-2018-8034).\n\nWhen the default servlet returned a redirect to a directory (e.g.\nredirecting to /foo/ when the user requested /foo) a specially crafted\nURL could be used to cause the redirect to be generated to any URI of\nthe attackers choice (CVE-2018-11784).\n","modified":"2026-04-16T06:22:23.782596549Z","published":"2018-12-09T21:20:39Z","upstream":["CVE-2018-11784","CVE-2018-1336","CVE-2018-8014","CVE-2018-8034"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0479.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23045"},{"type":"WEB","url":"http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.52"},{"type":"WEB","url":"http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53"},{"type":"WEB","url":"http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34"}],"affected":[{"package":{"name":"tomcat","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/tomcat?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.0.53-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0479.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}