[Git][java-team/tomcat8][stretch] 3 commits: Import Upstream version 8.5.54

Markus Koschany gitlab at salsa.debian.org
Fri Apr 10 20:20:23 BST 2020 


Markus Koschany pushed to branch stretch at Debian Java Maintainers / tomcat8


Commits:
7941f5ae by Markus Koschany at 2020-04-10T21:18:16+02:00
Import Upstream version 8.5.54
- - - - -
166008b7 by Markus Koschany at 2020-04-10T21:18:21+02:00
Import Debian changes 8.5.54-0+deb9u1

tomcat8 (8.5.54-0+deb9u1) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2019-17569: HTTP Request Smuggling
     The refactoring in 8.5.48 introduced a regression. The result of the
     regression was that invalid Transfer-Encoding headers were incorrectly
     processed leading to a possibility of HTTP Request Smuggling if Tomcat was
     located behind a reverse proxy that incorrectly handled the invalid
     Transfer-Encoding header in a particular manner. Such a reverse proxy is
     considered unlikely.
   * Fix CVE-2020-1935: HTTP Request Smuggling
     The HTTP header parsing code used an approach to end-of-line (EOL) parsing
     that allowed some invalid HTTP headers to be parsed as valid. This led to a
     possibility of HTTP Request Smuggling if Tomcat was located behind a
     reverse proxy that incorrectly handled the invalid Transfer-Encoding header
     in a particular manner. Such a reverse proxy is considered unlikely.
   * Fix CVE-2020-1938: AJP Request Injection and potential Remote Code Execution
     When using the Apache JServ Protocol (AJP), care must be taken when
     trusting incoming connections to Apache Tomcat. Tomcat treats AJP
     connections as having higher trust than, for example, a similar HTTP
     connection. If such connections are available to an attacker, they can be
     exploited in ways that may be surprising. Prior to Tomcat 7.0.100, Tomcat
     shipped with an AJP Connector enabled by default that listened on all
     configured IP addresses. It was expected (and recommended in the security
     guide) that this Connector would be disabled if not required.
     .
     Note that Debian already disabled the AJP connector by default. Mitigation
     is only required if the AJP port was made accessible to untrusted users.

- - - - -
394ff3b3 by Markus Koschany at 2020-04-10T21:19:34+02:00
Set to UNRELEASED

- - - - -


30 changed files:

- + .travis.yml
- + .travis/antTest.sh
- NOTICE
- bin/catalina.bat
- bin/catalina.sh
- bin/daemon.sh
- build.properties.default
- build.xml
- conf/catalina.policy
- conf/server.xml
- conf/web.xml
- debian/changelog
- − debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
- debian/patches/0018-fix-manager-webapp.patch
- debian/patches/series
- java/javax/el/ExpressionFactory.java
- java/javax/el/ImportHandler.java
- java/javax/el/LocalStrings.properties
- java/javax/el/LocalStrings_fr.properties
- java/javax/el/StaticFieldELResolver.java
- java/javax/security/auth/message/config/AuthConfigFactory.java
- java/javax/servlet/LocalStrings_zh_CN.properties
- java/javax/servlet/annotation/WebServlet.java
- java/javax/servlet/http/HttpServlet.java
- java/org/apache/catalina/AccessLog.java
- java/org/apache/catalina/Globals.java
- java/org/apache/catalina/SessionEvent.java
- java/org/apache/catalina/WebResourceRoot.java
- java/org/apache/catalina/ant/AbstractCatalinaTask.java
- java/org/apache/catalina/ant/ValidatorTask.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/63928c74ba4bf3db1044d551277a2b8ee978e32b...394ff3b35e8c7f80a217eac2be542b9055642244

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/63928c74ba4bf3db1044d551277a2b8ee978e32b...394ff3b35e8c7f80a217eac2be542b9055642244
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200410/3b472fa6/attachment.html>

More information about the pkg-java-commits mailing list