<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Markus Koschany pushed to branch stretch
at <a href="https://salsa.debian.org/java-team/tomcat8">Debian Java Maintainers / tomcat8</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/java-team/tomcat8/-/commit/7941f5aef90e1fa2ffb32d9124664ce41f96ed95">7941f5ae</a></strong>
<div>
<span>by Markus Koschany</span>
<i>at 2020-04-10T21:18:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Import Upstream version 8.5.54</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/java-team/tomcat8/-/commit/166008b7357346a55f21606acc939a9ddb23d506">166008b7</a></strong>
<div>
<span>by Markus Koschany</span>
<i>at 2020-04-10T21:18:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Import Debian changes 8.5.54-0+deb9u1
tomcat8 (8.5.54-0+deb9u1) stretch-security; urgency=high
* Team upload.
* Fix CVE-2019-17569: HTTP Request Smuggling
The refactoring in 8.5.48 introduced a regression. The result of the
regression was that invalid Transfer-Encoding headers were incorrectly
processed leading to a possibility of HTTP Request Smuggling if Tomcat was
located behind a reverse proxy that incorrectly handled the invalid
Transfer-Encoding header in a particular manner. Such a reverse proxy is
considered unlikely.
* Fix CVE-2020-1935: HTTP Request Smuggling
The HTTP header parsing code used an approach to end-of-line (EOL) parsing
that allowed some invalid HTTP headers to be parsed as valid. This led to a
possibility of HTTP Request Smuggling if Tomcat was located behind a
reverse proxy that incorrectly handled the invalid Transfer-Encoding header
in a particular manner. Such a reverse proxy is considered unlikely.
* Fix CVE-2020-1938: AJP Request Injection and potential Remote Code Execution
When using the Apache JServ Protocol (AJP), care must be taken when
trusting incoming connections to Apache Tomcat. Tomcat treats AJP
connections as having higher trust than, for example, a similar HTTP
connection. If such connections are available to an attacker, they can be
exploited in ways that may be surprising. Prior to Tomcat 7.0.100, Tomcat
shipped with an AJP Connector enabled by default that listened on all
configured IP addresses. It was expected (and recommended in the security
guide) that this Connector would be disabled if not required.
.
Note that Debian already disabled the AJP connector by default. Mitigation
is only required if the AJP port was made accessible to untrusted users.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/java-team/tomcat8/-/commit/394ff3b35e8c7f80a217eac2be542b9055642244">394ff3b3</a></strong>
<div>
<span>by Markus Koschany</span>
<i>at 2020-04-10T21:19:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set to UNRELEASED
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#dea01dd89a3b602828e630677fde5d77c06441c8">
<span class="new-file">
+
.travis.yml
</span>
</a>
</li>
<li class="file-stats">
<a href="#b63b1ba063dfda275f9f9fc2aad4340c68fde6d4">
<span class="new-file">
+
.travis/antTest.sh
</span>
</a>
</li>
<li class="file-stats">
<a href="#fe71871083ca490e6bc0da33fb48ce231f820a94">
NOTICE
</a>
</li>
<li class="file-stats">
<a href="#1f06ff1c1113334e3b5f4c7d284f5c65654cf739">
bin/catalina.bat
</a>
</li>
<li class="file-stats">
<a href="#3f42a2bf9b1514ff5b8ffaf2b0d53b263d6a17a0">
bin/catalina.sh
</a>
</li>
<li class="file-stats">
<a href="#c42fa9de422a4110e36cf0e09e96cedd8c3c474c">
bin/daemon.sh
</a>
</li>
<li class="file-stats">
<a href="#65d04013ea262a52ba54c8de534eae494865583c">
build.properties.default
</a>
</li>
<li class="file-stats">
<a href="#bdc348bf75801c527f51cdeddc8edf027f7ef35a">
build.xml
</a>
</li>
<li class="file-stats">
<a href="#2bc5147650c40facb1ae57d0ead22ec78b01819c">
conf/catalina.policy
</a>
</li>
<li class="file-stats">
<a href="#a9e258d7e74856eb9f4422837b9ca038d050463f">
conf/server.xml
</a>
</li>
<li class="file-stats">
<a href="#ea0ff7f3ec429da8ec7ce29ccffe1a11e215a544">
conf/web.xml
</a>
</li>
<li class="file-stats">
<a href="#9c96da0e9f91d7d8937b69b524702c106258f0d1">
debian/changelog
</a>
</li>
<li class="file-stats">
<a href="#13a3d3e6299e9b16591c82afe5440c123d6e134c">
<span class="deleted-file">
−
debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#febb02e40bf351f0f9b27d9bdf83b00effddbb59">
debian/patches/0018-fix-manager-webapp.patch
</a>
</li>
<li class="file-stats">
<a href="#bc34014ab4b9a49dd7a27bdd8d352912607c3a96">
debian/patches/series
</a>
</li>
<li class="file-stats">
<a href="#75add6d4e9d64295fb12109cb7d4faec6793b487">
java/javax/el/ExpressionFactory.java
</a>
</li>
<li class="file-stats">
<a href="#a2d5e4dc5be19c95ac23fd62a03aa1c79f1de1bb">
java/javax/el/ImportHandler.java
</a>
</li>
<li class="file-stats">
<a href="#b066e54908b3fd577f61a1d07bf645d1be0be7eb">
java/javax/el/LocalStrings.properties
</a>
</li>
<li class="file-stats">
<a href="#40a885b9ce57fd2c3ac00092781010c21328c84b">
java/javax/el/LocalStrings_fr.properties
</a>
</li>
<li class="file-stats">
<a href="#11cf973b3bcd47b436fa60c14431e799a5338fee">
java/javax/el/StaticFieldELResolver.java
</a>
</li>
<li class="file-stats">
<a href="#70f49f0afaa9216d4d5070e8696b80ead632ec87">
java/javax/security/auth/message/config/AuthConfigFactory.java
</a>
</li>
<li class="file-stats">
<a href="#651e21a16192ca93ec150c1ca17a0e61e237d7bf">
java/javax/servlet/LocalStrings_zh_CN.properties
</a>
</li>
<li class="file-stats">
<a href="#7de9cbb7f5a6c035194f0987f1c7f93cea730d0c">
java/javax/servlet/annotation/WebServlet.java
</a>
</li>
<li class="file-stats">
<a href="#2c8614f39f55d33659552d46646847536dfccb52">
java/javax/servlet/http/HttpServlet.java
</a>
</li>
<li class="file-stats">
<a href="#c97ee98f80e451256407bba2275694093cf1bb2a">
java/org/apache/catalina/AccessLog.java
</a>
</li>
<li class="file-stats">
<a href="#33799d1809dc0dae85eefc713866e85312262e26">
java/org/apache/catalina/Globals.java
</a>
</li>
<li class="file-stats">
<a href="#c9f709e18ae9b743b9551d0b55a307017d4be159">
java/org/apache/catalina/SessionEvent.java
</a>
</li>
<li class="file-stats">
<a href="#219bf8496f9fc15eec19de20c9471a69b7e5d298">
java/org/apache/catalina/WebResourceRoot.java
</a>
</li>
<li class="file-stats">
<a href="#c0ff0c8b9a02cb4fdeb3de59e18f20109b272ccb">
java/org/apache/catalina/ant/AbstractCatalinaTask.java
</a>
</li>
<li class="file-stats">
<a href="#c971f4ce976f6ee170792c9445e03c6768158dcf">
java/org/apache/catalina/ant/ValidatorTask.java
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/java-team/tomcat8/-/compare/63928c74ba4bf3db1044d551277a2b8ee978e32b...394ff3b35e8c7f80a217eac2be542b9055642244">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>