Test ID:	1.3.6.1.4.1.25623.1.1.10.2016.0312
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2016-0312)
Summary:	The remote host is missing an update for the 'tomcat' package(s) announced via the MGASA-2016-0312 advisory.
Description:	Summary: The remote host is missing an update for the 'tomcat' package(s) announced via the MGASA-2016-0312 advisory. Vulnerability Insight: Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an 'httpoxy' issue (CVE-2016-5388). Affected Software/OS: 'tomcat' package(s) on Mageia 5. Solution: Please install the updated package(s). CVSS Score: 5.1 CVSS Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2016-5388 1036331 http://www.securitytracker.com/id/1036331 91818 http://www.securityfocus.com/bid/91818 RHSA-2016:1624 http://rhn.redhat.com/errata/RHSA-2016-1624.html RHSA-2016:1635 https://access.redhat.com/errata/RHSA-2016:1635 RHSA-2016:1636 https://access.redhat.com/errata/RHSA-2016:1636 RHSA-2016:2045 http://rhn.redhat.com/errata/RHSA-2016-2045.html RHSA-2016:2046 http://rhn.redhat.com/errata/RHSA-2016-2046.html VU#797896 http://www.kb.cert.org/vuls/id/797896 [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E [activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries. https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E [activemq-issues] 20190925 [jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E [debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html [tomcat-users] 20200813 CVE reporting discrepencies https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102%40%3Cusers.tomcat.apache.org%3E [tomcat-users] 20200813 Re: CVE reporting discrepencies https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd%40%3Cusers.tomcat.apache.org%3E [tomcat-users] 20200814 Re: CVE reporting discrepencies https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39%40%3Cusers.tomcat.apache.org%3E http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 https://httpoxy.org/ https://tomcat.apache.org/tomcat-7.0-doc/changelog.html https://www.apache.org/security/asf-httpoxy-response.txt openSUSE-SU-2016:2252 http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.