[Git][security-tracker-team/security-tracker][master] 3 commits: tomcat9 entered the archive
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 3 16:33:10 GMT 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1f0407bd by Salvatore Bonaccorso at 2018-12-03T16:02:41Z
tomcat9 entered the archive
All issues were addressed before or latest with the 9.0.13 upload
entering unstable and as such can be marked as <not-affected> (Fixed
before initial upload to Debian).
- - - - -
5deb8406 by Salvatore Bonaccorso at 2018-12-03T16:05:18Z
Merge remote-tracking branch 'origin/master'
- - - - -
5958c37b by Salvatore Bonaccorso at 2018-12-03T16:32:10Z
Add upstream commit for CVE-2018-19788/policykit-1
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -41,6 +41,7 @@ CVE-2018-19789
CVE-2018-19788 (A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user ...)
- policykit-1 <unfixed> (bug #915332)
NOTE: https://gitlab.freedesktop.org/polkit/polkit/issues/74
+ NOTE: https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc
CVE-2018-19787 (An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the ...)
- lxml 4.2.5-1
NOTE: Fixed by: https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109 (lxml-4.2.5)
@@ -23259,7 +23260,7 @@ CVE-2018-11785 (Missing authorization check in Apache Impala before 3.0.1 allows
NOT-FOR-US: Apache Impala
CVE-2018-11784 (When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, ...)
{DLA-1545-1 DLA-1544-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.34-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -33078,7 +33079,7 @@ CVE-2018-8038 (Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable
NOT-FOR-US: Apache CXF
CVE-2018-8037 (If an async request was completed by the application at the same time ...)
{DSA-4281-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.32-1
[jessie] - tomcat8 <not-affected> (vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series)
- tomcat8.0 <not-affected> (Vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series)
@@ -33094,7 +33095,7 @@ CVE-2018-8035
RESERVED
CVE-2018-8034 (The host name verification when using TLS with the WebSocket client ...)
{DSA-4281-1 DLA-1491-1 DLA-1453-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.32-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -33163,7 +33164,7 @@ CVE-2018-8015 (In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an
NOT-FOR-US: Apache ORC
CVE-2018-8014 (The defaults settings for the CORS filter provided in Apache Tomcat ...)
{DLA-1400-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.32-1 (bug #898935)
[stretch] - tomcat8 <no-dsa> (Minor issue; user expected to configure filters appropriately)
[jessie] - tomcat8 <no-dsa> (Minor issue; user expected to configure filters appropriately)
@@ -53052,7 +53053,7 @@ CVE-2018-1337 (In Apache LDAP API before 1.0.2, a bug in the way the SSL Filter
NOT-FOR-US: Apache LDAP API
CVE-2018-1336 (An improper handing of overflow in the UTF-8 decoder with ...)
{DSA-4281-1 DLA-1491-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.31-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -53155,7 +53156,7 @@ CVE-2018-1306 (The PortletV3AnnotatedDemo Multipart Portlet war file code provid
NOT-FOR-US: Apache Portals Pluto
CVE-2018-1305 (Security constraints defined by annotations of Servlets in Apache ...)
{DSA-4281-1 DLA-1450-1 DLA-1400-1 DLA-1301-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.28-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -53169,7 +53170,7 @@ CVE-2018-1305 (Security constraints defined by annotations of Servlets in Apache
NOTE: https://svn.apache.org/r1824360 (7.0.x)
CVE-2018-1304 (The URL pattern of "" (the empty string) which exactly maps to the ...)
{DSA-4281-1 DLA-1450-1 DLA-1400-1 DLA-1301-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.28-1
- tomcat8.0 <removed> (unimportant)
NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
@@ -61515,7 +61516,7 @@ CVE-2017-15708 (In Apache Synapse, by default no authentication is required for
CVE-2017-15707 (In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated ...)
- libstruts1.2-java <not-affected> (Specific to 2.x)
CVE-2017-15706 (As part of the fix for bug 61201, the documentation for Apache Tomcat ...)
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.24-1
[stretch] - tomcat8 <not-affected> (Issue introduced later)
[jessie] - tomcat8 <not-affected> (Issue introduced later)
@@ -86006,7 +86007,7 @@ CVE-2017-7677 (In environments that use external location for hive tables, Hive
CVE-2017-7676 (Policy resource matcher in Apache Ranger before 0.7.1 ignores ...)
NOT-FOR-US: Apache Ranger
CVE-2017-7675 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and ...)
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.16-1
[stretch] - tomcat8 8.5.14-1+deb9u2
[jessie] - tomcat8 <not-affected> (Only affects 8.5.0 to 8.5.15)
@@ -86016,7 +86017,7 @@ CVE-2017-7675 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61120
CVE-2017-7674 (The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to ...)
{DSA-3974-1 DLA-1400-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.16-1
- tomcat7 7.0.72-3
[wheezy] - tomcat7 <not-affected> (Vulnerable code not present)
@@ -92607,7 +92608,7 @@ CVE-2017-5665 (The splt_cue_export_to_file function in cue.c in libmp3splt 0.9.2
NOTE: No security impact, crash in CLI tool
CVE-2017-5664 (The error page mechanism of the Java Servlet Specification requires ...)
{DSA-3892-1 DSA-3891-1 DLA-996-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.14-2 (bug #864447)
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -92665,13 +92666,13 @@ CVE-2017-5653 (JAX-RS XML Security streaming clients in Apache CXF before 3.1.11
CVE-2017-5652 (During a routine security analysis, it was found that one of the ports ...)
NOT-FOR-US: Impala
CVE-2017-5651 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the ...)
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.11-2 (bug #860071)
[jessie] - tomcat8 <not-affected> (Only affects 8.5 and later)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/21
NOTE: Fixed by: http://svn.apache.org/r1788546 (8.5.x)
CVE-2017-5650 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the ...)
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.11-2 (bug #860070)
[jessie] - tomcat8 <not-affected> (Only affects 8.5 and later)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/22
@@ -92680,7 +92681,7 @@ CVE-2017-5649 (Apache Geode before 1.1.1, when a cluster has enabled security by
NOT-FOR-US: Apache Geode
CVE-2017-5648 (While investigating bug 60718, it was noticed that some calls to ...)
{DSA-3843-1 DSA-3842-1 DLA-924-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.11-2 (bug #860069)
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -92691,7 +92692,7 @@ CVE-2017-5648 (While investigating bug 60718, it was noticed that some calls to
NOTE: Fixed by: http://svn.apache.org/r1785777 (7.0.x)
CVE-2017-5647 (A bug in the handling of the pipelined requests in Apache Tomcat ...)
{DSA-3843-1 DSA-3842-1 DLA-924-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.11-2 (bug #860068)
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -110207,7 +110208,7 @@ CVE-2016-8746 (Apache Ranger before 0.6.3 policy engine incorrectly matches path
NOT-FOR-US: Apache Ranger
CVE-2016-8745 (A bug in the error handling of the send file code for the NIO HTTP ...)
{DSA-3755-1 DSA-3754-1 DLA-779-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.5.9-1
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -110253,7 +110254,7 @@ CVE-2016-8736 (Apache Openmeetings before 3.1.2 is vulnerable to Remote Code ...
NOT-FOR-US: Apache OpenMeetings
CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x ...)
{DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.39-1
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -116393,13 +116394,13 @@ CVE-2016-6819
CVE-2016-6818 (SQL injection vulnerability in SAP Business Intelligence platform ...)
NOT-FOR-US: SAP
CVE-2016-6817 (The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and ...)
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 <not-affected> (Only affects 9.x and 8.5.x)
- tomcat7 <not-affected> (Only affects 9.x and 8.5.x)
- tomcat6 <not-affected> (Only affects 9.x and 8.5.x)
CVE-2016-6816 (The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, ...)
{DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.39-1
- tomcat7 7.0.72-3
NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API
@@ -121303,7 +121304,7 @@ CVE-2016-5696 (net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not prop
CVE-2016-5389
REJECTED
CVE-2016-5388 (Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI ...)
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.37-1 (unimportant)
- tomcat7 7.0.72-1 (unimportant)
[jessie] - tomcat7 7.0.56-3+really7.0.88-1
@@ -128605,7 +128606,7 @@ CVE-2016-3092 (The MultipartStream class in Apache Commons Fileupload before 1.3
- libcommons-fileupload-java 1.3.2-1
- tomcat7 7.0.70-1
- tomcat8 8.0.36-1
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
NOTE: Fixed by https://svn.apache.org/r1743480
NOTE: Upstream advisory http://markmail.org/message/oyxfv73jb2g7rjg3
NOTE: https://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
@@ -136991,7 +136992,7 @@ CVE-2016-0764 (Race condition in Network Manager before 1.0.12 as packaged in Re
NOTE: Fixed in 1.0.12 for the 1.0.x branch: https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
CVE-2016-0763 (The setGlobalContext method in ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -137214,7 +137215,7 @@ CVE-2016-0715 (Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5
NOT-FOR-US: Pivotal Cloud Foundry Elastic Runtime
CVE-2016-0714 (The session-persistence implementation in Apache Tomcat 6.x before ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -137236,7 +137237,7 @@ CVE-2016-0707 (The agent in Apache Ambari before 2.1.2 uses weak permissions for
NOT-FOR-US: Apache Ambari
CVE-2016-0706 (Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -148037,7 +148038,7 @@ CVE-2015-5353 (Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allo
NOT-FOR-US: Novius OS
CVE-2015-5351 (The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.32-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -148057,7 +148058,7 @@ CVE-2015-5347 (Cross-site scripting (XSS) vulnerability in the ...)
NOT-FOR-US: Apache Wicket
CVE-2015-5346 (Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.30-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
@@ -148069,7 +148070,7 @@ CVE-2015-5346 (Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66
NOTE: http://svn.apache.org/viewvc?view=revision&revision=1723506
CVE-2015-5345 (The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before ...)
{DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1}
- - tomcat9 <not-affected> (Fixed before initial upload)
+ - tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.30-1
- tomcat7 7.0.68-1
- tomcat6 6.0.41-3
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/218f3556a8918b64d67e7fe02043a8e9e10d26e8...5958c37ba944e1717fb597d5cf9035bb1d994912
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/218f3556a8918b64d67e7fe02043a8e9e10d26e8...5958c37ba944e1717fb597d5cf9035bb1d994912
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181203/8769e2ae/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list