tomcat security, bug fix, and enhancement update

ID ELSA-2019-2205
Type oraclelinux
Reporter Oracle
Modified 2019-08-13T00:00:00


[0:7.0.76-9] - Resolves: rhbz#1641873 CVE-2018-11784 tomcat: Open redirect in default servlet - Resolves: rhbz#1552375 CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended expo sure of resources - Resolves: rhbz#1552374 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised us ers - Resolves: rhbz#1590182 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins - Resolves: rhbz#1608609 CVE-2018-8034 tomcat: host name verification missing in WebSocket client - Resolves: rhbz#1588703 Backport of Negative maxCookieCount value causes exception for Tomcat - Resolves: rhbz#1472950 shutdown_wait option is not working for Tomcat - Resolves: rhbz#1455483 Add support for characters < and > to the possible whitelist values