Bugzilla – Bug 1212612
VUL-0: CVE-2023-34981: tomcat6,tomcat: information disclosure
Last modified: 2023-06-22 08:35:57 UTC
CVE-2023-34981 A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34981 https://bugzilla.redhat.com/show_bug.cgi?id=2216439 https://www.cve.org/CVERecord?id=CVE-2023-34981 http://www.cvedetails.com/cve/CVE-2023-34981/ https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
nvm we are not affected, see introducing bugfix introducing the issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 Fix: https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442 Not Affected (do not contain introducing commit https://github.com/apache/tomcat/commit/7c122e0f2c6f80cd5a1812afda5b0d5f751636aa) - SUSE:ALP:Source:Standard:1.0/tomcat - SUSE:SLE-11:Update/tomcat6 - SUSE:SLE-12-SP2:Update/tomcat - SUSE:SLE-12-SP4:Update/tomcat - SUSE:SLE-15-SP1:Update/tomcat - SUSE:SLE-15:Update/tomcat Not affected (already fixed version): - SUSE:SLE-15-SP2:Update/tomcat - openSUSE:Factory/tomcat
closing