Bugzilla – Bug 1078679
VUL-1: CVE-2017-15698: libtcnative-1-0: tomcat-native: Mishandling of client certificates can allow for OCSP check bypass
Last modified: 2021-01-07 19:00:53 UTC
When parsing the AIA-Extension field of a client certificate, Apache Tomcat
Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle
fields longer than 127 bytes. The result of the parsing error was to skip the
OCSP check. It was therefore possible for client certificates that should have
been rejected (if the OCSP check had been made) to be accepted. Users not using
OCSP checks are not affected by this vulnerability.
Another ping, since the running update is still stopped and waiting for this fix.
SUSE-SU-2019:14014-1: An update that fixes three vulnerabilities is now available.
Category: security (important)
Bug References: 1078679,1103347,1103348
CVE References: CVE-2017-15698,CVE-2018-8019,CVE-2018-8020
SUSE Linux Enterprise Server 11-SP4-LTSS (src): libtcnative-1-0-1.3.4-126.96.36.199
SUSE Linux Enterprise Point of Sale 11-SP3 (src): libtcnative-1-0-1.3.4-188.8.131.52
SUSE Linux Enterprise Debuginfo 11-SP4 (src): libtcnative-1-0-1.3.4-184.108.40.206
SUSE Linux Enterprise Debuginfo 11-SP3 (src): libtcnative-1-0-1.3.4-220.127.116.11
*** NOTE: This information is not intended to be used for external
communication, because this may only be a partial fix.
If you have questions please reach out to maintenance coordination.