CVE-2018-8020

NameCVE-2018-8020
DescriptionApache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1475-1, ELA-28-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat-native (PTS)jessie, jessie (lts)1.1.32~repack-2+deb8u2fixed
stretch (security), stretch (lts), stretch1.2.21-1~deb9u1fixed
buster1.2.21-1fixed
bullseye1.2.26-1fixed
bookworm1.2.35-1fixed
sid, trixie1.3.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat-nativesourcewheezy1.1.24-1+deb7u2ELA-28-1
tomcat-nativesourcejessie1.1.32~repack-2+deb8u2DLA-1475-1
tomcat-nativesourcestretch1.2.12-2+deb9u2
tomcat-nativesource(unstable)1.2.17-1

Notes

https://svn.apache.org/r1832863
Search for package or bug name: Reporting problems