tomcat8_8.5.54-0+deb9u1_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Sat May 9 16:33:47 BST 2020
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Apr 2020 17:01:31 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.5.54-0+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Description:
libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
tomcat8 - Apache Tomcat 8 - Servlet and JSP engine
tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Changes:
tomcat8 (8.5.54-0+deb9u1) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2019-17569: HTTP Request Smuggling
The refactoring in 8.5.48 introduced a regression. The result of the
regression was that invalid Transfer-Encoding headers were incorrectly
processed leading to a possibility of HTTP Request Smuggling if Tomcat was
located behind a reverse proxy that incorrectly handled the invalid
Transfer-Encoding header in a particular manner. Such a reverse proxy is
considered unlikely.
* Fix CVE-2020-1935: HTTP Request Smuggling
The HTTP header parsing code used an approach to end-of-line (EOL) parsing
that allowed some invalid HTTP headers to be parsed as valid. This led to a
possibility of HTTP Request Smuggling if Tomcat was located behind a
reverse proxy that incorrectly handled the invalid Transfer-Encoding header
in a particular manner. Such a reverse proxy is considered unlikely.
* Fix CVE-2020-1938: AJP Request Injection and potential Remote Code
Execution When using the Apache JServ Protocol (AJP), care must be taken
when trusting incoming connections to Apache Tomcat. Tomcat treats AJP
connections as having higher trust than, for example, a similar HTTP
connection. If such connections are available to an attacker, they can be
exploited in ways that may be surprising. Prior to Tomcat 8.5.51, Tomcat
shipped with an AJP Connector enabled by default that listened on all
configured IP addresses. It was expected (and recommended in the security
guide) that this Connector would be disabled if not required.
.
Note that Debian already disabled the AJP connector by default. Mitigation
is only required if the AJP port was made accessible to untrusted users.
Checksums-Sha1:
679a0025d1ae244cc8b5de63edb5ce44ef419273 3101 tomcat8_8.5.54-0+deb9u1.dsc
8de4d5b538a9b5464e3c308e5eae0e1b602c99a2 3779176 tomcat8_8.5.54.orig.tar.xz
229167ed72e50b0f15154c316b6ddaa8beedf6ef 43204 tomcat8_8.5.54-0+deb9u1.debian.tar.xz
530f6d0042d14a2fbb85833da6f3b70fd2985a9d 243444 libservlet3.1-java-doc_8.5.54-0+deb9u1_all.deb
071d868895afe960292fda2b40e8cb08d98da044 402978 libservlet3.1-java_8.5.54-0+deb9u1_all.deb
b7e0f645212541747aaed402f7fa89dc54a4e0e0 4104550 libtomcat8-embed-java_8.5.54-0+deb9u1_all.deb
7f73545388f82a99c07ea93e06e3dfea6290df9d 5361118 libtomcat8-java_8.5.54-0+deb9u1_all.deb
55479292bc47f0714b6d794d4208150bdf508f55 32660 tomcat8-admin_8.5.54-0+deb9u1_all.deb
7b9ce85b350c5b40871729271a24cdb28d5a5f68 66968 tomcat8-common_8.5.54-0+deb9u1_all.deb
f740af4dada90ce1ecb133886a5e085c68cb2fa5 690548 tomcat8-docs_8.5.54-0+deb9u1_all.deb
d427e9020f6bfb4c8d59ca71ab8646d5ea3e8737 189450 tomcat8-examples_8.5.54-0+deb9u1_all.deb
1be248775a2b7f9b17760548cdc9b5934862ee43 41118 tomcat8-user_8.5.54-0+deb9u1_all.deb
8335933a88badeb59532982d1b00b7888c238f31 53278 tomcat8_8.5.54-0+deb9u1_all.deb
796ad7493a3134fc50580b849f1071cdb04b656d 14603 tomcat8_8.5.54-0+deb9u1_amd64.buildinfo
Checksums-Sha256:
251d42c8daa37cb2323bb7163841dc09929e6e84d3cbc77a4eb06d4d046f13e4 3101 tomcat8_8.5.54-0+deb9u1.dsc
a7733123c889b44521fbfe601472ffd5fe1109ded465aa10df6ab20569beddda 3779176 tomcat8_8.5.54.orig.tar.xz
ed8676649736b504e3b5a64ee74a31612d55633e2cfb12caa1c64483293ba08c 43204 tomcat8_8.5.54-0+deb9u1.debian.tar.xz
338e11522b42ee66f7b837e425ff079e9ca6e8301b0763e35cade50fc80adb01 243444 libservlet3.1-java-doc_8.5.54-0+deb9u1_all.deb
c64e3cb52795845ba6f0804bea41ff79ca37b7ea6f9b6b7297a28db25890d5b5 402978 libservlet3.1-java_8.5.54-0+deb9u1_all.deb
17bfbbfea310ee3d08d54437152c0f23e686953ee2a8ee70f4469c9a5353f3d2 4104550 libtomcat8-embed-java_8.5.54-0+deb9u1_all.deb
3f9ca4f569a06a3fa77924a68a93f7d2ef2bd7e9b1dcfd35d46ac825664d4705 5361118 libtomcat8-java_8.5.54-0+deb9u1_all.deb
ca8b952a5c90fbb9dd7fe4fdea41cff030de6d6409170e56ad291f5e9f39ad11 32660 tomcat8-admin_8.5.54-0+deb9u1_all.deb
18346d01281dce888b52b7a783d1d2ea3f492999a7a51f460b355e0d7a797529 66968 tomcat8-common_8.5.54-0+deb9u1_all.deb
a46ff66c15e1cf0790d6939256956537467e88863cc74594dae1850c38a15fc1 690548 tomcat8-docs_8.5.54-0+deb9u1_all.deb
ba0077b08e02cb3219e7355ffae9884c7c1983dfaace27df7cc0b31a865bfd6a 189450 tomcat8-examples_8.5.54-0+deb9u1_all.deb
baa75ed819ae091f0069877214fb234bd103c246e300f871bb32b6ea382ed791 41118 tomcat8-user_8.5.54-0+deb9u1_all.deb
92795211cd2a8d30fdf3efc5ac517463dfe558745ade0be2652dbebf0414231f 53278 tomcat8_8.5.54-0+deb9u1_all.deb
563d00cdbcc77514837ce6e7c2f1bd9014fb91ae4b63ea233a6d9cc5322c6b71 14603 tomcat8_8.5.54-0+deb9u1_amd64.buildinfo
Files:
d2770b2e6e8d395c081a80ac774883ae 3101 java optional tomcat8_8.5.54-0+deb9u1.dsc
389adbb82ba032062a3241eb66969753 3779176 java optional tomcat8_8.5.54.orig.tar.xz
fdf87daa3a7f25b9872f0491a8bae571 43204 java optional tomcat8_8.5.54-0+deb9u1.debian.tar.xz
38d4118ee45392b6c823ea4525dbedc3 243444 doc optional libservlet3.1-java-doc_8.5.54-0+deb9u1_all.deb
4697427f0b9a0cd8404544e767e5ba1f 402978 java optional libservlet3.1-java_8.5.54-0+deb9u1_all.deb
21255ce3c011578f01361927883b2482 4104550 java optional libtomcat8-embed-java_8.5.54-0+deb9u1_all.deb
7628860d803c3ad91039f73c1f0c9d2f 5361118 java optional libtomcat8-java_8.5.54-0+deb9u1_all.deb
ef700424348cace1473f8050b6819233 32660 java optional tomcat8-admin_8.5.54-0+deb9u1_all.deb
a50a5b1af2fb5c8bca192ec5207d1677 66968 java optional tomcat8-common_8.5.54-0+deb9u1_all.deb
65c5f5f406be1536596a2cee31f2f1aa 690548 doc optional tomcat8-docs_8.5.54-0+deb9u1_all.deb
0fa4a50f706bf32e6439033981376b32 189450 java optional tomcat8-examples_8.5.54-0+deb9u1_all.deb
37399b7ede83bdab307b20600e399804 41118 java optional tomcat8-user_8.5.54-0+deb9u1_all.deb
266007c914f66839f6cc92df0d61a42d 53278 java optional tomcat8_8.5.54-0+deb9u1_all.deb
25161cce2195659b87d3e7d87479c462 14603 java optional tomcat8_8.5.54-0+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl6kUqxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkpeMQAKdL//CgJKA25eQLrLImx4godf6l2zfb0Kxj
KVbmc6vatsq3zl+UqR6gTnn4xWsWsr2B+pJMA7JgH1bn7pBg3KnPNhd47jZip1/g
/Hta7dw25x1fSRwyiAdGyp/IqX6vZhoa/zgq5lBfAGLew9wkT67c55y1yYOCb7CA
dHrSXS/GIYq90OYm/KvAbj+M2redplTbfjsMnm+lZMEckZlbN2JJGD5BzyCZ7+Ez
1J1sUcqqjKgVA4d8OM85QD25f6zFKWy8KLaiqSWXVIrG82aq+aDZoCkn7TbZql+z
Y5ZPmTIzhmsXN7MOQoOcp1wqquVZp5qeiziBAG07Fa2QN4T8+QxLbtKWloxpFMRX
yQTiYaHBkDI1E1w1zsmLUSjGjKgV8y1G0Xh4Ncj/BR7Frzc3Zf+yDXhLFZtU6U8d
6FPRx63BO9TEMKeSEDF+BZFz+UXGU1Tnz1Pyn3NGmTjZ1cTT3jMXg7i00mnaRoAO
Wiy+mvNP5MFRtHeLAhZqmTLUbrKg/yvdGlgZiAVabnw5M+a7pIGXFnDfiz1qvlG9
AoinUEAyNKN7ZXvm6K2lnXtbPIUDStSMnL1bImjtjQESq1ZCmGS8xUw6nA7W+8dy
Q2lmJpo6jXKwAGQ3q/7q+DtVFgxej2VHwapN6QxPYUTma+PrHlQBiLpcBszqX21L
bkLbp86/
=yVWm
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the pkg-java-maintainers
mailing list