Bug#959747: tomcat8: Tomcat8 fix for CVE-2020-1938 breaks compatibility with Apache2 mod_proxy_ajp
Markus Koschany
apo at debian.org
Mon May 4 21:52:41 BST 2020
Control: severity -1 normal
Hello,
Am 04.05.20 um 21:58 schrieb Gianluca Bonetti:
> Package: tomcat8
> Version: 8.5.54-0+deb9u1
> Severity: grave
>
> Dear Maintainer,
>
> Last tomcat8 upgrade, fixing CVE-2020-1938, is breaking the
> functionalities of Tomcat AJP connector
> in standard setup.
> The updated tomcat8 version implements 'secretRequired' parameter in
> <Connector> tag for config file
> /etc/tomcat8/server.xml (attached by reportbut) and the implicit default
> for 'secretRequired' is true.
> The default value is not explicitly marked in the standard server.xml,
> nor documented there.
[...]
The security update requires a manual update to your Tomcat 8
configuration, and only in specific cases. Debian cannot fix that
automatically. The Tomcat 8 documentation is relevant here:
https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html
This is not a Debian bug and it works as intended.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200504/d506a433/attachment.sig>
More information about the pkg-java-maintainers
mailing list