-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tomcat-native Version : 1.1.24-1+deb7u1 CVE ID : CVE-2017-15698
Jonas Klempel discovered that, when parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.24-1+deb7u1. We recommend that you upgrade your tomcat-native packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqAns5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRbFw//RorrEHRvPNRRVC5sPB/KL6gA3G1NkUu2up4Yyh78XEaomfs4Gatbsbpe GGdRUyLo/mH85TtYfAofxuZ041gQt2Z8w7prY5SXKUlwlT6Zo7BFNheh9RUQYPJU 0EzF6J83Pf8WFo2AktxK6PxWtHII8K+J0qidMUrM3h6kdU1/9kk9qogoPtzpE2Li dx2UVkCSBlyBpVCGWQ1eI/Wi5nxQur50CwOGhMi2zBLuxY8Uy6+UkHeJl32F1U5e nB9xkShD2aHC8QwCVmEP4WKZ/cEDdlOEitmTWk8UlYGluIlBDtF9e8MQrTWwwRHK KawOfEntriHwa2ETJLTfUyZ2PxQQpjLiKdAQhViCx52MDsaRRe6boruLHFRfVHAS NdjhKGNaUY5Qczu15Jwah2ODZPbRUzrtrMyZsy4bJ1t6/Xirh9I4+0Od645wGUVg TZTivuAKx9SDOYz9fUQMSyj/F2AVpzXHxmGmZoEB6QCNwLxVzcztY0xVwn7PlTCs Iiuo/F5/VYWA8Mc+cDruSOcZwLQHbVZ5hNWxcwik4GOFzK9TnQsxu2iV+HnyjOyd GiIShKNPh0ndDXUx0OH9RwpCK4ZbUhcrF0+LXi6LPUu47PbpOo8uYfBVmw+oU1Tv UWrIKKANcA2rWxpbpK3CW0ufuKOcWqnROJYjP2D22LCqzDzFIBk= =02pw -----END PGP SIGNATURE-----
