[Secure-testing-commits] r52399 - in data: . CVE
Ola Lundqvist
opal at moszumanska.debian.org
Wed Jun 7 21:00:22 UTC 2017
Author: opal
Date: 2017-06-07 21:00:21 +0000 (Wed, 07 Jun 2017)
New Revision: 52399
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Tomcat 6 and 7 vulnerable.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-06-07 20:11:04 UTC (rev 52398)
+++ data/CVE/list 2017-06-07 21:00:21 UTC (rev 52399)
@@ -11147,6 +11147,13 @@
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
- tomcat6 6.0.41-3
NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
+ [wheezy] - tomcat6 <unfixed>
+ NOTE: Even though jessie version of tomcat6 is not vulnerable wheezy is.
+ NOTE: A starting point is an extract of the tomcat 8 changes that can be
+ NOTE: found here: http://apt.inguza.net/wheezy-security/tomcat/tomcat8-CVE-2017-5664.patch
+ NOTE: Something similar to that have to be back-ported to tomcat6.
+ NOTE: For tomcat7 the file from latest tomcat7 can probably be used
+ NOTE: more or less as is.
NOTE: https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E
NOTE: Fixed by; http://svn.apache.org/r1793469 (8.5.x)
NOTE: Fixed by: http://svn.apache.org/r1793488 (8.5.x)
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-06-07 20:11:04 UTC (rev 52398)
+++ data/dla-needed.txt 2017-06-07 21:00:21 UTC (rev 52399)
@@ -116,6 +116,10 @@
NOTE: two leaks (CVE-2017-9403, CVE-2017-9404). Might be worth waiting until
NOTE: more issues piled up
--
+tomcat6
+--
+tomcat7
+--
trafficserver
NOTE: maintainer contacted 2017-04-26
NOTE: reproducer doesn't crash server in a test VM - <not-affected>? --anarcat
More information about the Secure-testing-commits
mailing list