Candidate: CVE-2018-8019
PublicDate: 2018-07-31 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8019
 https://svn.apache.org/r1832832
 http://mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095943.GA24320%40minotaur.apache.org%3E
Description:
 When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and
 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed
 for revoked client certificates to be incorrectly identified. It was
 therefore possible for users to authenticate with revoked certificates when
 using mutual TLS. Users not using OCSP checks are not affected by this
 vulnerability.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N [7.4 HIGH]


Patches_tomcat-native:
upstream_tomcat-native: released (1.2.17-1)
precise/esm_tomcat-native: DNE
trusty_tomcat-native: ignored (reached end-of-life)
trusty/esm_tomcat-native: DNE (trusty was needs-triage)
xenial_tomcat-native: ignored (end of standard support, was needed)
bionic_tomcat-native: not-affected (1.2.17-1)
cosmic_tomcat-native: not-affected (1.2.17-1)
disco_tomcat-native: not-affected (1.2.17-1)
eoan_tomcat-native: not-affected (1.2.17-1)
focal_tomcat-native: not-affected (1.2.17-1)
groovy_tomcat-native: not-affected (1.2.17-1)
hirsute_tomcat-native: not-affected (1.2.17-1)
impish_tomcat-native: not-affected (1.2.17-1)
jammy_tomcat-native: not-affected (1.2.17-1)
devel_tomcat-native: not-affected (1.2.17-1)