[Git][security-tracker-team/security-tracker][master] tomcat9 now in the archive
Moritz Muehlenhoff
jmm at debian.org
Mon Dec 3 15:59:41 GMT 2018
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
218f3556 by Moritz Muehlenhoff at 2018-12-03T15:59:16Z
tomcat9 now in the archive
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -23259,7 +23259,7 @@ CVE-2018-11785 (Missing authorization check in Apache Impala before 3.0.1 allows
NOT-FOR-US: Apache Impala
CVE-2018-11784 (When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, ...)
{DLA-1545-1 DLA-1544-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.34-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -33078,7 +33078,7 @@ CVE-2018-8038 (Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable
NOT-FOR-US: Apache CXF
CVE-2018-8037 (If an async request was completed by the application at the same time ...)
{DSA-4281-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.32-1
[jessie] - tomcat8 <not-affected> (vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series)
- tomcat8.0 <not-affected> (Vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series)
@@ -33094,7 +33094,7 @@ CVE-2018-8035
RESERVED
CVE-2018-8034 (The host name verification when using TLS with the WebSocket client ...)
{DSA-4281-1 DLA-1491-1 DLA-1453-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.32-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -33163,7 +33163,7 @@ CVE-2018-8015 (In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an
NOT-FOR-US: Apache ORC
CVE-2018-8014 (The defaults settings for the CORS filter provided in Apache Tomcat ...)
{DLA-1400-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.32-1 (bug #898935)
[stretch] - tomcat8 <no-dsa> (Minor issue; user expected to configure filters appropriately)
[jessie] - tomcat8 <no-dsa> (Minor issue; user expected to configure filters appropriately)
@@ -53052,7 +53052,7 @@ CVE-2018-1337 (In Apache LDAP API before 1.0.2, a bug in the way the SSL Filter
NOT-FOR-US: Apache LDAP API
CVE-2018-1336 (An improper handing of overflow in the UTF-8 decoder with ...)
{DSA-4281-1 DLA-1491-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.31-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -53155,7 +53155,7 @@ CVE-2018-1306 (The PortletV3AnnotatedDemo Multipart Portlet war file code provid
NOT-FOR-US: Apache Portals Pluto
CVE-2018-1305 (Security constraints defined by annotations of Servlets in Apache ...)
{DSA-4281-1 DLA-1450-1 DLA-1400-1 DLA-1301-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.28-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -53169,7 +53169,7 @@ CVE-2018-1305 (Security constraints defined by annotations of Servlets in Apache
NOTE: https://svn.apache.org/r1824360 (7.0.x)
CVE-2018-1304 (The URL pattern of "" (the empty string) which exactly maps to the ...)
{DSA-4281-1 DLA-1450-1 DLA-1400-1 DLA-1301-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.28-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -61515,7 +61515,7 @@ CVE-2017-15708 (In Apache Synapse, by default no authentication is required for
CVE-2017-15707 (In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated ...)
- libstruts1.2-java <not-affected> (Specific to 2.x)
CVE-2017-15706 (As part of the fix for bug 61201, the documentation for Apache Tomcat ...)
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.24-1
[stretch] - tomcat8 <not-affected> (Issue introduced later)
[jessie] - tomcat8 <not-affected> (Issue introduced later)
@@ -86006,7 +86006,7 @@ CVE-2017-7677 (In environments that use external location for hive tables, Hive
CVE-2017-7676 (Policy resource matcher in Apache Ranger before 0.7.1 ignores ...)
NOT-FOR-US: Apache Ranger
CVE-2017-7675 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and ...)
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.16-1
[stretch] - tomcat8 8.5.14-1+deb9u2
[jessie] - tomcat8 <not-affected> (Only affects 8.5.0 to 8.5.15)
@@ -86016,7 +86016,7 @@ CVE-2017-7675 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61120
CVE-2017-7674 (The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to ...)
{DSA-3974-1 DLA-1400-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.16-1
- tomcat7 7.0.72-3
[wheezy] - tomcat7 <not-affected> (Vulnerable code not present)
@@ -92607,7 +92607,7 @@ CVE-2017-5665 (The splt_cue_export_to_file function in cue.c in libmp3splt 0.9.2
NOTE: No security impact, crash in CLI tool
CVE-2017-5664 (The error page mechanism of the Java Servlet Specification requires ...)
{DSA-3892-1 DSA-3891-1 DLA-996-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.14-2 (bug #864447)
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -92665,13 +92665,13 @@ CVE-2017-5653 (JAX-RS XML Security streaming clients in Apache CXF before 3.1.11
CVE-2017-5652 (During a routine security analysis, it was found that one of the ports ...)
NOT-FOR-US: Impala
CVE-2017-5651 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the ...)
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.11-2 (bug #860071)
[jessie] - tomcat8 <not-affected> (Only affects 8.5 and later)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/21
NOTE: Fixed by: http://svn.apache.org/r1788546 (8.5.x)
CVE-2017-5650 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the ...)
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.11-2 (bug #860070)
[jessie] - tomcat8 <not-affected> (Only affects 8.5 and later)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/22
@@ -92680,7 +92680,7 @@ CVE-2017-5649 (Apache Geode before 1.1.1, when a cluster has enabled security by
NOT-FOR-US: Apache Geode
CVE-2017-5648 (While investigating bug 60718, it was noticed that some calls to ...)
{DSA-3843-1 DSA-3842-1 DLA-924-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.11-2 (bug #860069)
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -92691,7 +92691,7 @@ CVE-2017-5648 (While investigating bug 60718, it was noticed that some calls to
NOTE: Fixed by: http://svn.apache.org/r1785777 (7.0.x)
CVE-2017-5647 (A bug in the handling of the pipelined requests in Apache Tomcat ...)
{DSA-3843-1 DSA-3842-1 DLA-924-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.11-2 (bug #860068)
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -110207,7 +110207,7 @@ CVE-2016-8746 (Apache Ranger before 0.6.3 policy engine incorrectly matches path
NOT-FOR-US: Apache Ranger
CVE-2016-8745 (A bug in the error handling of the send file code for the NIO HTTP ...)
{DSA-3755-1 DSA-3754-1 DLA-779-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.5.9-1
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -110253,7 +110253,7 @@ CVE-2016-8736 (Apache Openmeetings before 3.1.2 is vulnerable to Remote Code ...
NOT-FOR-US: Apache OpenMeetings
CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x ...)
{DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.39-1
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -116393,13 +116393,13 @@ CVE-2016-6819
CVE-2016-6818 (SQL injection vulnerability in SAP Business Intelligence platform ...)
NOT-FOR-US: SAP
CVE-2016-6817 (The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and ...)
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 <not-affected> (Only affects 9.x and 8.5.x)
- tomcat7 <not-affected> (Only affects 9.x and 8.5.x)
- tomcat6 <not-affected> (Only affects 9.x and 8.5.x)
CVE-2016-6816 (The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, ...)
{DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.39-1
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -121303,7 +121303,7 @@ CVE-2016-5696 (net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not prop
CVE-2016-5389
REJECTED
CVE-2016-5388 (Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI ...)
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.37-1 (unimportant)
- tomcat7 7.0.72-1 (unimportant)
[jessie] - tomcat7 7.0.56-3+really7.0.88-1
@@ -128605,7 +128605,7 @@ CVE-2016-3092 (The MultipartStream class in Apache Commons Fileupload before 1.3
- libcommons-fileupload-java 1.3.2-1
- tomcat7 7.0.70-1
- tomcat8 8.0.36-1
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
NOTE: Fixed by https://svn.apache.org/r1743480
NOTE: Upstream advisory http://markmail.org/message/oyxfv73jb2g7rjg3
NOTE: https://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
@@ -136991,7 +136991,7 @@ CVE-2016-0764 (Race condition in Network Manager before 1.0.12 as packaged in Re
NOTE: Fixed in 1.0.12 for the 1.0.x branch: https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
CVE-2016-0763 (The setGlobalContext method in ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -137214,7 +137214,7 @@ CVE-2016-0715 (Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5
NOT-FOR-US: Pivotal Cloud Foundry Elastic Runtime
CVE-2016-0714 (The session-persistence implementation in Apache Tomcat 6.x before ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -137236,7 +137236,7 @@ CVE-2016-0707 (The agent in Apache Ambari before 2.1.2 uses weak permissions for
NOT-FOR-US: Apache Ambari
CVE-2016-0706 (Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -148037,7 +148037,7 @@ CVE-2015-5353 (Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allo
NOT-FOR-US: Novius OS
CVE-2015-5351 (The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -148057,7 +148057,7 @@ CVE-2015-5347 (Cross-site scripting (XSS) vulnerability in the ...)
NOT-FOR-US: Apache Wicket
CVE-2015-5346 (Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.30-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -148069,7 +148069,7 @@ CVE-2015-5346 (Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66
NOTE: http://svn.apache.org/viewvc?view=revision&revision=1723506
CVE-2015-5345 (The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <itp> (bug #802312)
+ - tomcat9 <not-affected> (Fixed before initial upload)
- tomcat8 8.0.30-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/218f3556a8918b64d67e7fe02043a8e9e10d26e8
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/218f3556a8918b64d67e7fe02043a8e9e10d26e8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181203/1a33eefd/attachment.html>
More information about the debian-security-tracker-commits
mailing list