Accepted tomcat7 7.0.56-3+really7.0.100-1 (source all) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Mar 2020 12:33:23 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+really7.0.100-1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
libtomcat7-java - Servlet and JSP engine -- core libraries
tomcat7 - Servlet and JSP engine
tomcat7-admin - Servlet and JSP engine -- admin web applications
tomcat7-common - Servlet and JSP engine -- common files
tomcat7-docs - Servlet and JSP engine -- documentation
tomcat7-examples - Servlet and JSP engine -- example web applications
tomcat7-user - Servlet and JSP engine -- tools to create user instances
Changes:
tomcat7 (7.0.56-3+really7.0.100-1) jessie-security; urgency=high
.
* New upstream version 7.0.56-3+really7.0.100.
* Fix CVE-2019-17569: HTTP Request Smuggling
The refactoring in 7.0.98 introduced a regression. The result of the
regression was that invalid Transfer-Encoding headers were incorrectly
processed leading to a possibility of HTTP Request Smuggling if Tomcat was
located behind a reverse proxy that incorrectly handled the invalid
Transfer-Encoding header in a particular manner. Such a reverse proxy is
considered unlikely.
* Fix CVE-2020-1935: HTTP Request Smuggling
The HTTP header parsing code used an approach to end-of-line (EOL) parsing
that allowed some invalid HTTP headers to be parsed as valid. This led to a
possibility of HTTP Request Smuggling if Tomcat was located behind a
reverse proxy that incorrectly handled the invalid Transfer-Encoding header
in a particular manner. Such a reverse proxy is considered unlikely.
* Fix CVE-2020-1936: AJP Request Injection and potential Remote Code Execution
When using the Apache JServ Protocol (AJP), care must be taken when
trusting incoming connections to Apache Tomcat. Tomcat treats AJP
connections as having higher trust than, for example, a similar HTTP
connection. If such connections are available to an attacker, they can be
exploited in ways that may be surprising. Prior to Tomcat 7.0.100, Tomcat
shipped with an AJP Connector enabled by default that listened on all
configured IP addresses. It was expected (and recommended in the security
guide) that this Connector would be disabled if not required.
.
Note that Debian already disabled the AJP connector by default. Mitigation
is only required if the AJP port was made accessible to untrusted users.
Checksums-Sha1:
9236d30e67b87ee5d6621d4616193127506f7635 3033 tomcat7_7.0.56-3+really7.0.100-1.dsc
d699b8e107cee9ece80f051cc4cbc521ba49ffa7 3426752 tomcat7_7.0.56-3+really7.0.100.orig.tar.xz
c1895fb4087d128bd7f7a63a15eb2de9c7cdb226 53576 tomcat7_7.0.56-3+really7.0.100-1.debian.tar.xz
87d351e7a8c95a6514bade5d7aeda4740d5e48c7 300002 tomcat7-common_7.0.56-3+really7.0.100-1_all.deb
8578578469b3f3051d73ba5629e3f23d0529b9ca 56482 tomcat7_7.0.56-3+really7.0.100-1_all.deb
0cd4dfce2893436391d0310beec4b157ae94ae92 44056 tomcat7-user_7.0.56-3+really7.0.100-1_all.deb
b1b65d69f568fad5d7fd019e8f44680cabcc51cc 4028254 libtomcat7-java_7.0.56-3+really7.0.100-1_all.deb
1318ae5f3e362a5a7fb73a22920bfb11cdafbf05 319176 libservlet3.0-java_7.0.56-3+really7.0.100-1_all.deb
9bc3e0497ef76889a9e177b4eaef5279259f0760 212028 libservlet3.0-java-doc_7.0.56-3+really7.0.100-1_all.deb
ffefdb01180a85f40f3c03a26db6a30f7711d053 40128 tomcat7-admin_7.0.56-3+really7.0.100-1_all.deb
7d4815a380b7f4609650a6aa50a0e9dd2af13e12 203604 tomcat7-examples_7.0.56-3+really7.0.100-1_all.deb
fef25e4bdd96955d1e2c3cd35307068ebaced002 703952 tomcat7-docs_7.0.56-3+really7.0.100-1_all.deb
Checksums-Sha256:
456d0a791b0cbe0701da986e6eea398b8af56e536a6779a90fc5f0027729aee4 3033 tomcat7_7.0.56-3+really7.0.100-1.dsc
74f261e8b5f5644865e8044e56826779e53227a5fea05c444b8bdaeb2310752d 3426752 tomcat7_7.0.56-3+really7.0.100.orig.tar.xz
e1fa951a449c5af52d3ec42044a29391b9e6b0cd45e6c0c1586bb364ac50a4df 53576 tomcat7_7.0.56-3+really7.0.100-1.debian.tar.xz
c00e377f83ca7ac9741141f779b297f59f442a1ad77eefd9087de062fb86ad00 300002 tomcat7-common_7.0.56-3+really7.0.100-1_all.deb
fa8d3ca26e68f29765cad5c999d6cb0a3e4df9d49f7638a22f4c68db9121959b 56482 tomcat7_7.0.56-3+really7.0.100-1_all.deb
fdf1217385512d024628aaf895759008ee05671fc61fcac094a55db7e7ccee37 44056 tomcat7-user_7.0.56-3+really7.0.100-1_all.deb
a747926dea1c4566355b1a1f1baa923984ccdf022a325fff35553a3dc280ca90 4028254 libtomcat7-java_7.0.56-3+really7.0.100-1_all.deb
493b164bb16d43258b0284a33acb84e8ee8846d0044ebdeb3c1be1aa2e752a75 319176 libservlet3.0-java_7.0.56-3+really7.0.100-1_all.deb
35a5fcc72d6312c0c2c41c8549d5a563189864f4751d9492d9b16693834a213a 212028 libservlet3.0-java-doc_7.0.56-3+really7.0.100-1_all.deb
553e8122e310760869587425bd52a9c6f63e4224480933b5a88f5c95aa26e989 40128 tomcat7-admin_7.0.56-3+really7.0.100-1_all.deb
4dce50380d7e9ba898facc4e9eb09f4eac9750bb9d8d266557b7215a0b45a459 203604 tomcat7-examples_7.0.56-3+really7.0.100-1_all.deb
c048987e44fdd2ba02ffb235d4cff700f0688319bdfc5060c7c9603760702b4a 703952 tomcat7-docs_7.0.56-3+really7.0.100-1_all.deb
Files:
373ddc039b47d44f651cfd02efdb6012 3033 java optional tomcat7_7.0.56-3+really7.0.100-1.dsc
0efc258afb43cbb86cbb808956fc8121 3426752 java optional tomcat7_7.0.56-3+really7.0.100.orig.tar.xz
175ab595a796164b8db346d2b499bc95 53576 java optional tomcat7_7.0.56-3+really7.0.100-1.debian.tar.xz
418a749078aca47286ad831cd46893f0 300002 java optional tomcat7-common_7.0.56-3+really7.0.100-1_all.deb
a89811c4de84a2630da68ed5742e4e1a 56482 java optional tomcat7_7.0.56-3+really7.0.100-1_all.deb
116341be7e3ff7627c92a7b9dd40c4bd 44056 java optional tomcat7-user_7.0.56-3+really7.0.100-1_all.deb
6bb5219356c824ceedb421915f313740 4028254 java optional libtomcat7-java_7.0.56-3+really7.0.100-1_all.deb
13439864a1c0496b9b50da959ed6bf7c 319176 java optional libservlet3.0-java_7.0.56-3+really7.0.100-1_all.deb
3f489757b47af5bb91331aa56de4e91d 212028 doc optional libservlet3.0-java-doc_7.0.56-3+really7.0.100-1_all.deb
149e004a3eab51cc0a40a7ec3f7a2e0a 40128 java optional tomcat7-admin_7.0.56-3+really7.0.100-1_all.deb
485113675e4115023eea637c5e174c99 203604 java optional tomcat7-examples_7.0.56-3+really7.0.100-1_all.deb
9daa513217000a4d99465df14a7a6a17 703952 doc optional tomcat7-docs_7.0.56-3+really7.0.100-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl5f5ctfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkxp8P/RQgrrByMwc85TeF96xOVWoaAmMTgpIgDMQj
KOhS14EHEfg4ygaSA526KFQpDGhXuf6O5is6oaaXGRtTZ8wNAM98oaKREJfIz920
SN++I5Lq1rHnfaNk7LZ1FOV0oa7DcTrl+e8FscFFIqTxEZq7MarlBwIOR4QnqElY
DHm2SshbmfgYRy5sYUoBWV/wEBJH9UvCyUlgbK/hx3JLRMi5JiQgI8AOwoc4NofN
6TNyPnbeUxa2NfLdpYnkqGqH/cKdnTp2RNqKFbCA3HYQCMYlzgUjyfkgy+VG7KuU
2IThYBND0zp6AIwArgk+m+T+yF7MI1iYmnqzY6/jA0mpjsnRUoSkoHYW6lMMmaUZ
IGh5XxK/OHVjZVHAHL67haceNWIyVNozm8e1N0d/M77Y+nvAeM+6IBLn4VqmKGpB
2ru5VNkvTEPuurICug4w8j3XbeLmpOzXtzDo5DyBPPpOzMa5rGESHpTjHbIMsS5C
NPTpQpTwmMFnvnkXesbMsSe2v3HbK+XTuowqtSy+I9ts+SezL8eM6dYAHvbmh9n0
NBq1Xtjxf90WxZcQa3uFq/ZkfXEcKgG5WNYD+hhzP4iP2mkBwqMsfaheh+xGkP5L
KsrMIT1G0HyVZbpC7rcGrF7+i3tNkLWfZWUx0WOEd2sVKHz/kXSPJcgQyHQl7N1+
JBOr5KVK
=Iq9C
-----END PGP SIGNATURE-----