CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
69.6%
Debian Security Advisory DSA-4118-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
February 17, 2018 https://www.debian.org/security/faq
Package : tomcat-native
CVE ID : CVE-2017-15698
Jonas Klempel reported that tomcat-native, a library giving Tomcat
access to the Apache Portable Runtime (APR) library's network connection
(socket) implementation and random-number generator, does not properly
handle fields longer than 127 bytes when parsing the AIA-Extension field
of a client certificate. If OCSP checks are used, this could result in
client certificates that should have been rejected to be accepted.
For the oldstable distribution (jessie), this problem has been fixed
in version 1.1.32~repack-2+deb8u1.
For the stable distribution (stretch), this problem has been fixed in
version 1.2.12-2+deb9u1.
We recommend that you upgrade your tomcat-native packages.
For the detailed security status of tomcat-native please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/tomcat-native
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 9 | mipsel | libtcnative-1-dbgsym | < 1.2.12-2+deb9u1 | libtcnative-1-dbgsym_1.2.12-2+deb9u1_mipsel.deb |
Debian | 9 | arm64 | libtcnative-1 | < 1.2.12-2+deb9u1 | libtcnative-1_1.2.12-2+deb9u1_arm64.deb |
Debian | 7 | amd64 | libtcnative-1 | < 1.1.24-1+deb7u1 | libtcnative-1_1.1.24-1+deb7u1_amd64.deb |
Debian | 9 | ppc64el | libtcnative-1 | < 1.2.12-2+deb9u1 | libtcnative-1_1.2.12-2+deb9u1_ppc64el.deb |
Debian | 8 | armel | libtcnative-1 | < 1.1.32~repack-2+deb8u1 | libtcnative-1_1.1.32~repack-2+deb8u1_armel.deb |
Debian | 9 | all | tomcat-native | < 1.2.12-2+deb9u1 | tomcat-native_1.2.12-2+deb9u1_all.deb |
Debian | 8 | armhf | libtcnative-1 | < 1.1.32~repack-2+deb8u1 | libtcnative-1_1.1.32~repack-2+deb8u1_armhf.deb |
Debian | 8 | powerpc | libtcnative-1 | < 1.1.32~repack-2+deb8u1 | libtcnative-1_1.1.32~repack-2+deb8u1_powerpc.deb |
Debian | 9 | arm64 | libtcnative-1-dbgsym | < 1.2.12-2+deb9u1 | libtcnative-1-dbgsym_1.2.12-2+deb9u1_arm64.deb |
Debian | 9 | amd64 | libtcnative-1 | < 1.2.12-2+deb9u1 | libtcnative-1_1.2.12-2+deb9u1_amd64.deb |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
69.6%