Back to tomcat8 PTS page

Accepted tomcat8 8.5.54-0+deb9u2 (source all) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted tomcat8 8.5.54-0+deb9u2 (source all) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 12 Jul 2020 20:30:19 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1juic7-0004LC-CT@seger.debian.org>
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Jul 2020 19:47:49 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.5.54-0+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Changes:
 tomcat8 (8.5.54-0+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2020-9484:
     When using Apache Tomcat an attacker is able to control the contents and
     name of a file on the server; and b) the server is configured to use the
     PersistenceManager with a FileStore; and c) the PersistenceManager is
     configured with sessionAttributeValueClassNameFilter="null" (the default
     unless a SecurityManager is used) or a sufficiently lax filter to allow the
     attacker provided object to be deserialized; and d) the attacker knows the
     relative file path from the storage location used by FileStore to the file
     the attacker has control over; then, using a specifically crafted request,
     the attacker will be able to trigger remote code execution via
     deserialization of the file under their control. Note that all of
     conditions a) to d) must be true for the attack to succeed.
   * Fix CVE-2020-11996:
     A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could
     trigger high CPU usage for several seconds. If a sufficient number of such
     requests were made on concurrent HTTP/2 connections, the server could
     become unresponsive.
Checksums-Sha1:
 94a51596841ff0eceea61ac616bfa5b4ba5ad473 3101 tomcat8_8.5.54-0+deb9u2.dsc
 f27dce7d56353f0ad879d223692c9dbd93374be5 45620 tomcat8_8.5.54-0+deb9u2.debian.tar.xz
 6cddee7bbc2bd9dc7a05207821cd76dec8208f47 243870 libservlet3.1-java-doc_8.5.54-0+deb9u2_all.deb
 ad8082200ddbe8e1826bc9936203a3b445b181ba 403394 libservlet3.1-java_8.5.54-0+deb9u2_all.deb
 7a1e5940accda18e88389bdf0d07aa5f51bed0d3 4105930 libtomcat8-embed-java_8.5.54-0+deb9u2_all.deb
 7a112572e35f82fa30e853c920219fdcfbf0c4c9 5361916 libtomcat8-java_8.5.54-0+deb9u2_all.deb
 fdfdcc2948461fe1aac13c2350a416feffb667cb 33108 tomcat8-admin_8.5.54-0+deb9u2_all.deb
 ded82e16a9fd1fe2bbf40b4eea800e5ec194d786 67388 tomcat8-common_8.5.54-0+deb9u2_all.deb
 a7298ea64dcfc972169dfd850d4cae2acdbc4c67 691068 tomcat8-docs_8.5.54-0+deb9u2_all.deb
 746f6f4097cd206037f69a503eca62e6a5f55fa1 394692 tomcat8-examples_8.5.54-0+deb9u2_all.deb
 36a07842267b0feb66031b7e11ab9f9aef30238e 41566 tomcat8-user_8.5.54-0+deb9u2_all.deb
 b40e1e57ae6957e95d5d3adb22d5376a70e9932f 53722 tomcat8_8.5.54-0+deb9u2_all.deb
 7801d46fc23ca45f783b65513d93e98aaea415af 14602 tomcat8_8.5.54-0+deb9u2_amd64.buildinfo
Checksums-Sha256:
 2e163149a1bf40b93c27ad665ca61a108bc64f0a14464899976ff68cf16402c2 3101 tomcat8_8.5.54-0+deb9u2.dsc
 ba5d2ecdffce611f06b6a9ea4e2d8c4a58bb488dc662eff21fdb2d9224d8dd55 45620 tomcat8_8.5.54-0+deb9u2.debian.tar.xz
 86eb8897141a90a8a17dec778bd7fe1e691a7c263e6ffef936ac18793fcd95d7 243870 libservlet3.1-java-doc_8.5.54-0+deb9u2_all.deb
 152550221274f11318e5845d9fd99ae59767d657d74bca548cf247c4e2c86391 403394 libservlet3.1-java_8.5.54-0+deb9u2_all.deb
 3d5a4457b7eb8cc329893217a770017665b25c5d49ffecdccd32a34c6c9e1d1e 4105930 libtomcat8-embed-java_8.5.54-0+deb9u2_all.deb
 941695436da5b61e048058c8590979077bcbf46193702f923197187811e92acc 5361916 libtomcat8-java_8.5.54-0+deb9u2_all.deb
 dadc84aaf41312e870372a6df88a0507a2cb73458526f12921987b5b6ad1bf39 33108 tomcat8-admin_8.5.54-0+deb9u2_all.deb
 7c47de19fa6a8ac04cdc35a21471caccd6440799067a9897df36a79768e06fbb 67388 tomcat8-common_8.5.54-0+deb9u2_all.deb
 198c61549df0ec1dbbf362bd1c3f711cc76b1c2dcd6342039c4b8828d084573f 691068 tomcat8-docs_8.5.54-0+deb9u2_all.deb
 1d9516d3b62579d88d2631afbe5e33b126f3d40064bc952bc3274464cd7e6c0e 394692 tomcat8-examples_8.5.54-0+deb9u2_all.deb
 d7a33e1464e7f3be7b7409acb056366c2072021f475b49dc30284f171a86377a 41566 tomcat8-user_8.5.54-0+deb9u2_all.deb
 9f2e29eb4fa64824f9532194458a613172fff28d6c609407c4c19c913720b716 53722 tomcat8_8.5.54-0+deb9u2_all.deb
 9e04c61ca929165dc9e24ee8e69f29e346894d3009cc9ec9584e516891c8e350 14602 tomcat8_8.5.54-0+deb9u2_amd64.buildinfo
Files:
 1573057ac1376172284f969b461f5b35 3101 java optional tomcat8_8.5.54-0+deb9u2.dsc
 be959299b8a75af85e716f3059ab3175 45620 java optional tomcat8_8.5.54-0+deb9u2.debian.tar.xz
 704d33030742e2d1f1f24f77184cf866 243870 doc optional libservlet3.1-java-doc_8.5.54-0+deb9u2_all.deb
 3d93fb0a0d4a7bb8b624cb25091cc468 403394 java optional libservlet3.1-java_8.5.54-0+deb9u2_all.deb
 9d6d9b8ae98ee59d9276d5702bebcaec 4105930 java optional libtomcat8-embed-java_8.5.54-0+deb9u2_all.deb
 4e92ce24b43e3686a57250ad34160d19 5361916 java optional libtomcat8-java_8.5.54-0+deb9u2_all.deb
 fcf402ee40f1e17dfb84d0932ab69875 33108 java optional tomcat8-admin_8.5.54-0+deb9u2_all.deb
 e6c6cd2b4fc4881735b96075ba3ad44c 67388 java optional tomcat8-common_8.5.54-0+deb9u2_all.deb
 6b63a124414708cf7138654ab8ce9d37 691068 doc optional tomcat8-docs_8.5.54-0+deb9u2_all.deb
 8513c50b02dff27e30a86eeef81f5580 394692 java optional tomcat8-examples_8.5.54-0+deb9u2_all.deb
 b67e67ae02800e6314c3fd171769e013 41566 java optional tomcat8-user_8.5.54-0+deb9u2_all.deb
 18bf8a24b51fe6a00ed631333bf42d2f 53722 java optional tomcat8_8.5.54-0+deb9u2_all.deb
 fd0076e78cbb7260e5a4ec61d3c025ed 14602 java optional tomcat8_8.5.54-0+deb9u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl8LbrdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk86YQAJM0DMZedr2H2hcenept+UiPsY8VeVKkcp7q
7GJTPctWybvAe3+mVKSFjOeu/HvnNnJIZVDKry3+uhbHgC6PpzuquqQXpXSkTT/K
h1HqmMih7YBEqxnguvNpQMqgp4mmiA6rv/or+GwSRl6V+lNbFedk9ttPYS+p5F4c
l9C0+wdFEEy5XYIa5oXkDzMc5GqpQN1KjbDguXd70IQ5VdRT99atf/s9rCm7TdKP
v1rtXTvDNDjGiAXclPBpB/ouXe4LCPpJXhAZY4nH06UqIC8ex5tA20dVeV/j1oh4
RuIyewiRFF0vUndZZR6YrV6zbHKrIEIWz5sBUx9yuB/tQosnPPS6yO8jixz1+rU2
BeZhanK9INRbDdOEXMQVrE7GG45v/IOIbZD2GrsrmNy6pOX05rPzAl2ZR5bav8KY
S35YwueLFT3WFIQZEokYGuVL+GrRDFmOR05+AsLjK3ap1QFIwnfC23THSAxtoW+5
7fkLnf3gOSGEda+Twfzf85CUO4d38cxe04NEp20k/Rfj2pclbS5R9a59+RV/a4rS
Rgrixk70utBPXsUe/WaOLCKzvoJoSxHU7X0BJRfsW7FDIGi4TynD95ZWQJn8dUQG
dUHmkSF/KJ23GCQtRpyUQCdT7xwVtEzv5sALheb/Jb6O7KUJnjn0ikET5ndXboE1
c3U6/wtL
=Pd1v
-----END PGP SIGNATURE-----