Bug 831117 (CVE-2013-2071) - VUL-0: CVE-2013-2071: tomcat7 Information disclosure
Summary: VUL-0: CVE-2013-2071: tomcat7 Information disclosure
Status: RESOLVED FIXED
Alias: CVE-2013-2071
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-24 12:32 UTC by Marcus Meissner
Modified: 2015-02-19 01:31 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-24 12:32:15 UTC 
via tomcat advisory page http://tomcat.apache.org/security-7.html

Fixed in Apache Tomcat 7.0.40	released 9 May 2013

    Moderate: Information disclosure CVE-2013-2071

    Bug 54178 described a scenario where elements of a previous request may be exposed to a current request. This was very difficult to exploit deliberately but fairly likely to happen unexpectedly if an application used AsyncListeners that threw RuntimeExceptions.

    This was fixed in revision 1471372.

    The root cause of the problem was identified as a Tomcat bug on 2 April 2013. The Tomcat security team identified the security implications on 24 April 2013 and made those details public on 10 May 2013.

    Affects: 7.0.0-7.0.39
Comment 1 Swamp Workflow Management 2013-07-24 22:00:29 UTC 
bugbot adjusting priority
Comment 2 Michal Vyskocil 2013-07-26 13:10:24 UTC 
fixed in bnc#822177
Comment 3 Bernhard Wiedemann 2013-07-26 14:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (831117) was mentioned in
https://build.opensuse.org/request/show/184435 Maintenance / 
https://build.opensuse.org/request/show/184436 Maintenance /
Comment 4 Bernhard Wiedemann 2013-07-29 10:00:50 UTC 
This is an autogenerated message for OBS integration:
This bug (831117) was mentioned in
https://build.opensuse.org/request/show/184583 Maintenance /
Comment 5 Bernhard Wiedemann 2013-07-30 14:00:34 UTC 
This is an autogenerated message for OBS integration:
This bug (831117) was mentioned in
https://build.opensuse.org/request/show/184951 Maintenance / 
https://build.opensuse.org/request/show/184952 Maintenance /
Comment 6 Swamp Workflow Management 2013-08-07 08:04:32 UTC 
openSUSE-SU-2013:1306-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 822177,831117
CVE References: CVE-2013-1976,CVE-2013-2071
Sources used:
openSUSE 12.3 (src):    tomcat-7.0.35-2.9.1
Comment 7 Swamp Workflow Management 2013-08-07 08:05:23 UTC 
openSUSE-SU-2013:1307-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 768772,804992,822177,831117,831119
CVE References: CVE-2013-1976,CVE-2013-2067,CVE-2013-3544
Sources used:
openSUSE 12.2 (src):    tomcat-7.0.27-2.19.1
Comment 8 Bernhard Wiedemann 2013-08-28 06:01:56 UTC 
This is an autogenerated message for OBS integration:
This bug (831117) was mentioned in
https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6
Comment 9 Marcus Meissner 2013-08-28 09:42:42 UTC 
released
Comment 10 Swamp Workflow Management 2013-09-08 16:05:13 UTC 
openSUSE-SU-2013:1411-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 768772,822177,831117,831119
CVE References: CVE-2012-3544,CVE-2013-1976,CVE-2013-2067
Sources used:
openSUSE 11.4 (src):    tomcat6-6.0.32-42.1
Comment 11 Bernhard Wiedemann 2013-09-11 06:02:43 UTC 
This is an autogenerated message for OBS integration:
This bug (831117) was mentioned in
https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6