Synopsis: Moderate: tomcat security, bug fix, and enhancement update Advisory ID: SLSA-2019:2205-1 Issue Date: 2019-08-06 CVE Numbers: CVE-2018-1305 CVE-2018-1304 CVE-2018-8034 CVE-2018-8014 -- Security Fix(es): * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014) * tomcat: Host name verification missing in WebSocket client (CVE-2018-8034) -- SL7 x86_64 tomcat-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm noarch tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm tomcat-7.0.76-9.el7.noarch.rpm tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-javadoc-7.0.76-9.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm tomcat-jsvc-7.0.76-9.el7.noarch.rpm tomcat-lib-7.0.76-9.el7.noarch.rpm tomcat-webapps-7.0.76-9.el7.noarch.rpm - Scientific Linux Development Team