-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 04 Mar 2020 12:33:23 +0100 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.56-3+really7.0.100-1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat7 (7.0.56-3+really7.0.100-1) jessie-security; urgency=high . * New upstream version 7.0.56-3+really7.0.100. * Fix CVE-2019-17569: HTTP Request Smuggling The refactoring in 7.0.98 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. * Fix CVE-2020-1935: HTTP Request Smuggling The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. * Fix CVE-2020-1936: AJP Request Injection and potential Remote Code Execution When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to Tomcat 7.0.100, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. . Note that Debian already disabled the AJP connector by default. Mitigation is only required if the AJP port was made accessible to untrusted users. Checksums-Sha1: 9236d30e67b87ee5d6621d4616193127506f7635 3033 tomcat7_7.0.56-3+really7.0.100-1.dsc d699b8e107cee9ece80f051cc4cbc521ba49ffa7 3426752 tomcat7_7.0.56-3+really7.0.100.orig.tar.xz c1895fb4087d128bd7f7a63a15eb2de9c7cdb226 53576 tomcat7_7.0.56-3+really7.0.100-1.debian.tar.xz 87d351e7a8c95a6514bade5d7aeda4740d5e48c7 300002 tomcat7-common_7.0.56-3+really7.0.100-1_all.deb 8578578469b3f3051d73ba5629e3f23d0529b9ca 56482 tomcat7_7.0.56-3+really7.0.100-1_all.deb 0cd4dfce2893436391d0310beec4b157ae94ae92 44056 tomcat7-user_7.0.56-3+really7.0.100-1_all.deb b1b65d69f568fad5d7fd019e8f44680cabcc51cc 4028254 libtomcat7-java_7.0.56-3+really7.0.100-1_all.deb 1318ae5f3e362a5a7fb73a22920bfb11cdafbf05 319176 libservlet3.0-java_7.0.56-3+really7.0.100-1_all.deb 9bc3e0497ef76889a9e177b4eaef5279259f0760 212028 libservlet3.0-java-doc_7.0.56-3+really7.0.100-1_all.deb ffefdb01180a85f40f3c03a26db6a30f7711d053 40128 tomcat7-admin_7.0.56-3+really7.0.100-1_all.deb 7d4815a380b7f4609650a6aa50a0e9dd2af13e12 203604 tomcat7-examples_7.0.56-3+really7.0.100-1_all.deb fef25e4bdd96955d1e2c3cd35307068ebaced002 703952 tomcat7-docs_7.0.56-3+really7.0.100-1_all.deb Checksums-Sha256: 456d0a791b0cbe0701da986e6eea398b8af56e536a6779a90fc5f0027729aee4 3033 tomcat7_7.0.56-3+really7.0.100-1.dsc 74f261e8b5f5644865e8044e56826779e53227a5fea05c444b8bdaeb2310752d 3426752 tomcat7_7.0.56-3+really7.0.100.orig.tar.xz e1fa951a449c5af52d3ec42044a29391b9e6b0cd45e6c0c1586bb364ac50a4df 53576 tomcat7_7.0.56-3+really7.0.100-1.debian.tar.xz c00e377f83ca7ac9741141f779b297f59f442a1ad77eefd9087de062fb86ad00 300002 tomcat7-common_7.0.56-3+really7.0.100-1_all.deb fa8d3ca26e68f29765cad5c999d6cb0a3e4df9d49f7638a22f4c68db9121959b 56482 tomcat7_7.0.56-3+really7.0.100-1_all.deb fdf1217385512d024628aaf895759008ee05671fc61fcac094a55db7e7ccee37 44056 tomcat7-user_7.0.56-3+really7.0.100-1_all.deb a747926dea1c4566355b1a1f1baa923984ccdf022a325fff35553a3dc280ca90 4028254 libtomcat7-java_7.0.56-3+really7.0.100-1_all.deb 493b164bb16d43258b0284a33acb84e8ee8846d0044ebdeb3c1be1aa2e752a75 319176 libservlet3.0-java_7.0.56-3+really7.0.100-1_all.deb 35a5fcc72d6312c0c2c41c8549d5a563189864f4751d9492d9b16693834a213a 212028 libservlet3.0-java-doc_7.0.56-3+really7.0.100-1_all.deb 553e8122e310760869587425bd52a9c6f63e4224480933b5a88f5c95aa26e989 40128 tomcat7-admin_7.0.56-3+really7.0.100-1_all.deb 4dce50380d7e9ba898facc4e9eb09f4eac9750bb9d8d266557b7215a0b45a459 203604 tomcat7-examples_7.0.56-3+really7.0.100-1_all.deb c048987e44fdd2ba02ffb235d4cff700f0688319bdfc5060c7c9603760702b4a 703952 tomcat7-docs_7.0.56-3+really7.0.100-1_all.deb Files: 373ddc039b47d44f651cfd02efdb6012 3033 java optional tomcat7_7.0.56-3+really7.0.100-1.dsc 0efc258afb43cbb86cbb808956fc8121 3426752 java optional tomcat7_7.0.56-3+really7.0.100.orig.tar.xz 175ab595a796164b8db346d2b499bc95 53576 java optional tomcat7_7.0.56-3+really7.0.100-1.debian.tar.xz 418a749078aca47286ad831cd46893f0 300002 java optional tomcat7-common_7.0.56-3+really7.0.100-1_all.deb a89811c4de84a2630da68ed5742e4e1a 56482 java optional tomcat7_7.0.56-3+really7.0.100-1_all.deb 116341be7e3ff7627c92a7b9dd40c4bd 44056 java optional tomcat7-user_7.0.56-3+really7.0.100-1_all.deb 6bb5219356c824ceedb421915f313740 4028254 java optional libtomcat7-java_7.0.56-3+really7.0.100-1_all.deb 13439864a1c0496b9b50da959ed6bf7c 319176 java optional libservlet3.0-java_7.0.56-3+really7.0.100-1_all.deb 3f489757b47af5bb91331aa56de4e91d 212028 doc optional libservlet3.0-java-doc_7.0.56-3+really7.0.100-1_all.deb 149e004a3eab51cc0a40a7ec3f7a2e0a 40128 java optional tomcat7-admin_7.0.56-3+really7.0.100-1_all.deb 485113675e4115023eea637c5e174c99 203604 java optional tomcat7-examples_7.0.56-3+really7.0.100-1_all.deb 9daa513217000a4d99465df14a7a6a17 703952 doc optional tomcat7-docs_7.0.56-3+really7.0.100-1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl5f5ctfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkxp8P/RQgrrByMwc85TeF96xOVWoaAmMTgpIgDMQj KOhS14EHEfg4ygaSA526KFQpDGhXuf6O5is6oaaXGRtTZ8wNAM98oaKREJfIz920 SN++I5Lq1rHnfaNk7LZ1FOV0oa7DcTrl+e8FscFFIqTxEZq7MarlBwIOR4QnqElY DHm2SshbmfgYRy5sYUoBWV/wEBJH9UvCyUlgbK/hx3JLRMi5JiQgI8AOwoc4NofN 6TNyPnbeUxa2NfLdpYnkqGqH/cKdnTp2RNqKFbCA3HYQCMYlzgUjyfkgy+VG7KuU 2IThYBND0zp6AIwArgk+m+T+yF7MI1iYmnqzY6/jA0mpjsnRUoSkoHYW6lMMmaUZ IGh5XxK/OHVjZVHAHL67haceNWIyVNozm8e1N0d/M77Y+nvAeM+6IBLn4VqmKGpB 2ru5VNkvTEPuurICug4w8j3XbeLmpOzXtzDo5DyBPPpOzMa5rGESHpTjHbIMsS5C NPTpQpTwmMFnvnkXesbMsSe2v3HbK+XTuowqtSy+I9ts+SezL8eM6dYAHvbmh9n0 NBq1Xtjxf90WxZcQa3uFq/ZkfXEcKgG5WNYD+hhzP4iP2mkBwqMsfaheh+xGkP5L KsrMIT1G0HyVZbpC7rcGrF7+i3tNkLWfZWUx0WOEd2sVKHz/kXSPJcgQyHQl7N1+ JBOr5KVK =Iq9C -----END PGP SIGNATURE-----
