-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 16:22:22 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.0.14-1+deb8u15 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.0.14-1+deb8u15) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix flacky FTBFS by improving fix for CVE-2017-5647. * Refresh the expired SSL certificates used by the tests from freshly-renewed upstream Tomcat and adapt the test user DN. * Fix CVE-2019-0221: The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. * Fix CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. * Fix CVE-2016-5388: Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders' parameter to filter environment variables. Checksums-Sha1: fe27608a17a27924d52db098d9609afa691a7694 2517 tomcat8_8.0.14-1+deb8u15.dsc 5641f2ec4b8e89276ad614cba3bd154802fa1a3c 92272 tomcat8_8.0.14-1+deb8u15.debian.tar.xz f6d74cfbf3dfc83a23e3e6c074e1fae9265d0b16 60006 tomcat8-common_8.0.14-1+deb8u15_all.deb f46f66c25347eb38f78279531236dea4e5cdcaec 49564 tomcat8_8.0.14-1+deb8u15_all.deb 521836a26bf198eafb1ae86517f1084bc29d1f86 37050 tomcat8-user_8.0.14-1+deb8u15_all.deb 7d2cb1f17f1cc5b6c2973d12e1f4e4c59854d727 4594576 libtomcat8-java_8.0.14-1+deb8u15_all.deb f9e44c59af699e57d418e2f85440decdda7c271f 394400 libservlet3.1-java_8.0.14-1+deb8u15_all.deb 79fc470fe8d20d4d721bf8c4710445c8153280da 250548 libservlet3.1-java-doc_8.0.14-1+deb8u15_all.deb 1e7f9bc6c6e743b8a73c12b8673338e735a0c9f8 38388 tomcat8-admin_8.0.14-1+deb8u15_all.deb 42cdd479ca7f71dae04ceeff47f721063d3dd89f 196858 tomcat8-examples_8.0.14-1+deb8u15_all.deb ccd0f46e45c9329b54ff7ee631361c9247450cd1 692406 tomcat8-docs_8.0.14-1+deb8u15_all.deb Checksums-Sha256: e654d15fcb648124fe2b65efc35992565895683b998058bf4a5852ba85766cbf 2517 tomcat8_8.0.14-1+deb8u15.dsc b2d01e501c0d738befa1abf95d988c01112acbb62d1adbeb7f65901e7d7b4cee 92272 tomcat8_8.0.14-1+deb8u15.debian.tar.xz 791eff670cb1e0177bb3dd0958528836ea8dd345502450c4003a81d67d54f50d 60006 tomcat8-common_8.0.14-1+deb8u15_all.deb dfe22f4b6fce1e38128cce6b87a770c32ae464cc9667b06d1fe5910ff5ab45c9 49564 tomcat8_8.0.14-1+deb8u15_all.deb d07ee0c79bf07ba93f7cf47c9747a9fb231edb7230e58d2942914357999f42f5 37050 tomcat8-user_8.0.14-1+deb8u15_all.deb ae5d19db78b5d7540c95ab22f9456758a08be9426e952e3bf0b01f0338672376 4594576 libtomcat8-java_8.0.14-1+deb8u15_all.deb c480aa39e2896cf43a9ccd433242bcef7b03da11b14089eb85f70ce415e3683b 394400 libservlet3.1-java_8.0.14-1+deb8u15_all.deb 93b0aa28890ca0f8c48a8e5ec68cd6c366854ccf8c469940d252b49a2ed7596f 250548 libservlet3.1-java-doc_8.0.14-1+deb8u15_all.deb f620aba9a6b8cd65feb6ae4689546c9ba73297087dd52672e403ca653c3e4f70 38388 tomcat8-admin_8.0.14-1+deb8u15_all.deb 75de37a1fe40dc3661ee4a1f3df6aac97529f4b9791f45223a0bc3ca7203e385 196858 tomcat8-examples_8.0.14-1+deb8u15_all.deb db8dcd994f5981e4a16409efa39ade4f17b3cb1a523cac2513b23f53c1e056c0 692406 tomcat8-docs_8.0.14-1+deb8u15_all.deb Files: 1b9ea25c0d2b4ea6f4233ac90b5b8fd1 2517 java optional tomcat8_8.0.14-1+deb8u15.dsc 52df9bf9b76573a065fb2c218a83d459 92272 java optional tomcat8_8.0.14-1+deb8u15.debian.tar.xz fa0ae07d4027829ff02e25e5f47af3e5 60006 java optional tomcat8-common_8.0.14-1+deb8u15_all.deb a262aa291a174e2ebee244bccbfa210d 49564 java optional tomcat8_8.0.14-1+deb8u15_all.deb c7998d0fc31197e3598144c8c7b70559 37050 java optional tomcat8-user_8.0.14-1+deb8u15_all.deb 5705f476d456dca6db80ff399e99a429 4594576 java optional libtomcat8-java_8.0.14-1+deb8u15_all.deb 9e77f6cdbbbd0a533ede36833756e42c 394400 java optional libservlet3.1-java_8.0.14-1+deb8u15_all.deb 9acd55d2fd65abaeaaf4e1936e5080ef 250548 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u15_all.deb 743d63d2e2f23e39e015c3519067b73a 38388 java optional tomcat8-admin_8.0.14-1+deb8u15_all.deb 064895a95f89b16744f17424f7e0cd93 196858 java optional tomcat8-examples_8.0.14-1+deb8u15_all.deb 357d64eec3310d91d61eb11bf15b9769 692406 doc optional tomcat8-docs_8.0.14-1+deb8u15_all.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl1S+1MACgkQj/HLbo2J BZ+4+AgAg0P0ZQqaQGy6IFC3vLLgVPMMG676hMWkpFtk0ikMCCF5aPGzzz6a2161 AQBH90I++mMVGbN4GYy6XyS319Hjh13ztjaNcMo9+EweAYWfnlqe+s7NywTHQYk2 mvWk56urU2qbf8Vld1xEbMobXajREp19J0uUTZdbwEN0MdVqEEBlHVcI0F/0WB+g /Xq0Va5S3ZR7Cz4suKtuD/jvvsB6lZOOPYqx4EZ0BXxXY5gtSnfT9M3bKbynsejf uEs6s272Llg49ePYU+a7+tN2BRWl1JOJrTf8rFFPVbNNODhAd1opPlvAtlYbrJ7W I4w67vwtWao1Jxk2FcZGJ4EDwe4/bA== =fONq -----END PGP SIGNATURE-----