Accepted tomcat8 8.0.14-1+deb8u17 (source all) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 May 2020 18:08:54 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u17
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
tomcat8 - Apache Tomcat 8 - Servlet and JSP engine
tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Changes:
tomcat8 (8.0.14-1+deb8u17) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
.
* WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a
working AJP configuration. The option secretRequired defaults to true now.
You should define a secret in your server.xml or you can revert back by
setting secretRequired to false.
.
* Fix CVE-2019-17563:
When using FORM authentication with Apache Tomcat there was a narrow window
where an attacker could perform a session fixation attack. The window was
considered too narrow for an exploit to be practical but, erring on the
side of caution, this issue has been treated as a security vulnerability.
* Fix CVE-2020-1935:
In Apache Tomcat the HTTP header parsing code used an approach to
end-of-line parsing that allowed some invalid HTTP headers to be parsed as
valid. This led to a possibility of HTTP Request Smuggling if Tomcat was
located behind a reverse proxy that incorrectly handled the invalid
Transfer-Encoding header in a particular manner. Such a reverse proxy is
considered unlikely.
* Fix CVE-2020-1938:
When using the Apache JServ Protocol (AJP), care must be taken when
trusting incoming connections to Apache Tomcat. Tomcat treats AJP
connections as having higher trust than, for example, a similar HTTP
connection. If such connections are available to an attacker, they can be
exploited in ways that may be surprising. Previously Tomcat shipped with an
AJP Connector enabled by default that listened on all configured IP
addresses. It was expected (and recommended in the security guide) that
this Connector would be disabled if not required.
.
Note that Debian already disabled the AJP connector by default.
Mitigation is only required if the AJP port was made accessible to
untrusted users.
* Fix CVE-2020-9484:
When using Apache Tomcat and an attacker is able to control the contents
and name of a file on the server; and b) the server is configured to use
the PersistenceManager with a FileStore; and c) the PersistenceManager is
configured with sessionAttributeValueClassNameFilter="null" (the default
unless a SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and d) the attacker knows the
relative file path from the storage location used by FileStore to the file
the attacker has control over; then, using a specifically crafted request,
the attacker will be able to trigger remote code execution via
deserialization of the file under their control. Note that all of
conditions a) to d) must be true for the attack to succeed.
Checksums-Sha1:
91e5cd9b63f82fe51f4808ff7053b9b8ed66215d 3016 tomcat8_8.0.14-1+deb8u17.dsc
c84579820bc38c800b4956d41d9e1abaaf55798a 101656 tomcat8_8.0.14-1+deb8u17.debian.tar.xz
d76d6fe7e9dc97496639c03648a9bfea5bfed1e2 61012 tomcat8-common_8.0.14-1+deb8u17_all.deb
75be1b7cf4376404470ba31ed4457b7ce1f390e2 50394 tomcat8_8.0.14-1+deb8u17_all.deb
94d11e24d2ee11d575b2b866ec16ed7ff8a9a839 38064 tomcat8-user_8.0.14-1+deb8u17_all.deb
cdb45df3d2ed9991c344a5bac9b0e2b32061c2e9 4598210 libtomcat8-java_8.0.14-1+deb8u17_all.deb
0602497377edb609c60c3169925deb3cedbe1a36 395340 libservlet3.1-java_8.0.14-1+deb8u17_all.deb
cc8404aa927b523f259110de67aae93ce3d90a3e 251020 libservlet3.1-java-doc_8.0.14-1+deb8u17_all.deb
29702bd6ec07dc0acdc613c2d89ad3a6cebeb503 39266 tomcat8-admin_8.0.14-1+deb8u17_all.deb
4fba576cdb0dc13dcd1d735475bad17555a66668 197352 tomcat8-examples_8.0.14-1+deb8u17_all.deb
dc132888e5034e0440ddf4facfb61fb4fe75f201 692626 tomcat8-docs_8.0.14-1+deb8u17_all.deb
Checksums-Sha256:
a28afbdda9a283bfb422e6ad421d143ffe2ae903d5c6e555d7af1bcfd903995c 3016 tomcat8_8.0.14-1+deb8u17.dsc
28342a708f0f27b5ec3223978aad137b388115890b92af192f4e58ee884daa4b 101656 tomcat8_8.0.14-1+deb8u17.debian.tar.xz
c5d1f093e67b8f9791571fb3ca63d20b21f42aac9ab9f4a12d33bddf89ced54f 61012 tomcat8-common_8.0.14-1+deb8u17_all.deb
6a07aec7538327e69c11fe23ede8f8bbc13f896d0ee01c0dc718c86b6fe0ee9b 50394 tomcat8_8.0.14-1+deb8u17_all.deb
61018dffbb1b97e9567c5304aaa2aa3d96c3c4596765c5789cddea7229f633fa 38064 tomcat8-user_8.0.14-1+deb8u17_all.deb
b140b2a7a7a5a40cc4492289a278ee9686c1c871a6e9e6c603f5af00864268c4 4598210 libtomcat8-java_8.0.14-1+deb8u17_all.deb
42f67710d351b35bbc5047187c1ce1d11f2564c4e0c52bb6aa33e2281d3e6c3b 395340 libservlet3.1-java_8.0.14-1+deb8u17_all.deb
4a809c513470d0063fb0f66979a10aff5320022b9d261ce95fdd7762ed7f115a 251020 libservlet3.1-java-doc_8.0.14-1+deb8u17_all.deb
27b5b1be3f77ddfcad6d55814b811af8827a8d45572cd12692f99eb0a708da36 39266 tomcat8-admin_8.0.14-1+deb8u17_all.deb
adedea16758ff48565209bf2862a387f5869d83868a03198c0b0aa34797e7731 197352 tomcat8-examples_8.0.14-1+deb8u17_all.deb
e1c223b5ba20679c74180d3d5e57c83d3ae81061ee8c61af092f401275349588 692626 tomcat8-docs_8.0.14-1+deb8u17_all.deb
Files:
be6607e79e97a3723390426c37433fa5 3016 java optional tomcat8_8.0.14-1+deb8u17.dsc
98d08f5023ab2b8d1e8a5d6656a20f8e 101656 java optional tomcat8_8.0.14-1+deb8u17.debian.tar.xz
4e71995ed8e518f018246c5705090733 61012 java optional tomcat8-common_8.0.14-1+deb8u17_all.deb
29eaf48908a631f7e64bbb2417ee7280 50394 java optional tomcat8_8.0.14-1+deb8u17_all.deb
28f7eb85a879e7b5a8d9d8195817d6f9 38064 java optional tomcat8-user_8.0.14-1+deb8u17_all.deb
6ce2d7da4425c9c6cd33950d95c44626 4598210 java optional libtomcat8-java_8.0.14-1+deb8u17_all.deb
5d1b67089fd94eba8e8622b0d03710e1 395340 java optional libservlet3.1-java_8.0.14-1+deb8u17_all.deb
8e217b88d759a9ff475d47771ac15b08 251020 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u17_all.deb
6ab4572a74290b639ec7dd7f9b1d24cb 39266 java optional tomcat8-admin_8.0.14-1+deb8u17_all.deb
2328c9b5d489fb49871068f5e969a5fc 197352 java optional tomcat8-examples_8.0.14-1+deb8u17_all.deb
acb0c5a72642baf566312d0acd8dd731 692626 doc optional tomcat8-docs_8.0.14-1+deb8u17_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl7P6/tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkxK4QAI938ZI2g/oDdiWe1lbhgrNcaFtTL89gawAo
DgFTgoQj4pDVsjCsTpyfjxzsY2vzX45shR7C17E7YJorjNIHyIKyXU6nCzsvzkgX
1fSNcQ+8JmMz6Njz7NnMASFyKYYgw0oFMEwzhN6IKfYeacJtkqNJvYIhfKG27RDe
mvVo/VZ7AxC7nRftMzrTitOrDDOrImaXTXtSn0BwWetCsh5DklTJEX+PsiSJiweP
Ppl3l+hLCX9lLzdVS45OCSKUkfrfxXOEqKd2E4vlHWhyACkAkgau23sveMLxAET+
Xuz6T1SGl8pYVN3EomNGKL7DPvKG0rRzezkZt6t0PiUH3cMpvonnyNb+A/qCg8ml
jiljC9roluQRYfM0d6Gz+FuW8x0gTo4Mwzb2F2go/yilfFyD7mGl/XJuxyuawOYa
LpPBpuJ51qxztWCYPATttcIViQL7vC6E4WmAE0XWN3nMBS3KBUA4BxY7/iQXmQgg
YDqn1mSuGOZ7o4liS8lKKNvFNnapVWL7//OMNw/uExWGX+CMjRxLqWIIIwaBbivF
enRqcSnhK1WmAC0que3uY6kGm2fpI/LaDB1AelqPONEyRPPwMoYh1RiC1IgNgm/O
SBMQRtBwBvLO+fIPKDsndeCYsYH1jmrLrRFP8DqBd7fzLBdSJdrcUHIemro7YHam
qWmr3hbA
=smoz
-----END PGP SIGNATURE-----