[tomcat8] 02/05: Update changelog

Markus Koschany apo at moszumanska.debian.org
Wed Apr 12 12:11:01 UTC 2017 

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch master
in repository tomcat8.

commit db05407e1614c0b167137d68762b625e6bcf6a41
Author: Markus Koschany <apo at debian.org>
Date:   Wed Apr 12 10:03:28 2017 +0200

    Update changelog
---
 debian/changelog | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0e70c82..e53a324 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,37 @@
+tomcat8 (8.5.11-2) unstable; urgency=medium
+
+  * Team upload.
+  * Fix the following security vulnerabilities:
+   - CVE-2017-5647:
+     A bug in the handling of the pipelined requests when send file was used
+     resulted in the pipelined request being lost when send file processing of
+     the previous request completed. This could result in responses appearing
+     to be sent for the wrong request. For example, a user agent that sent
+     requests A, B and C could see the correct response for request A, the
+     response for request C for request B and no response for request C.
+   - CVE-2017-5648:
+     It was noticed that some calls to application listeners did not use the
+     appropriate facade object. When running an untrusted application under a
+     SecurityManager, it was therefore possible for that untrusted application
+     to retain a reference to the request or response object and thereby access
+     and/or modify information associated with another web application.
+   - CVE-2017-5650:
+     The handling of an HTTP/2 GOAWAY frame for a connection did not close
+     streams associated with that connection that were currently waiting for a
+     WINDOW_UPDATE before allowing the application to write more data. These
+     waiting streams each consumed a thread. A malicious client could therefore
+     construct a series of HTTP/2 requests that would consume all available
+     processing threads.
+   - CVE-2017-5651:
+     The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
+     regression in the send file processing. If the send file processing
+     completed quickly, it was possible for the Processor to be added to the
+     processor cache twice. This could result in the same Processor being used
+     for multiple requests which in turn could lead to unexpected errors and/or
+     response mix-up.
+
+ -- Markus Koschany <apo at debian.org>  Wed, 12 Apr 2017 09:58:46 +0200
+
 tomcat8 (8.5.11-1) unstable; urgency=medium
 
   * Team upload.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list