Bug#952438: Bug#952437: tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487
Emmanuel Bourg
ebourg at apache.org
Mon Feb 24 13:52:28 GMT 2020
Le 24/02/2020 à 14:32, Joost van Baal-Ilić a écrit :
> Tomcat as shipped by Debian is likely not vulnerable from the network in the
> default configuration, since by default Tomcat AJP Connector only listens on
> localhost:8009, not on *:8009 .
I confirm the Tomcat packages shipped in Debian aren't vulnerable with
the default configuration, the AJP connector has been disabled by
default since 2008.
https://salsa.debian.org/java-team/tomcat9/blob/debian/9.0.16-4/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
https://salsa.debian.org/java-team/tomcat8/blob/debian/8.5.50-0+deb9u1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
https://salsa.debian.org/java-team/tomcat7/blob/debian/7.0.56-3+really7.0.91-1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list