-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Apr 2020 17:01:31 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.5.54-0+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.5.54-0+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2019-17569: HTTP Request Smuggling The refactoring in 8.5.48 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. * Fix CVE-2020-1935: HTTP Request Smuggling The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. * Fix CVE-2020-1938: AJP Request Injection and potential Remote Code Execution When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to Tomcat 8.5.51, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. . Note that Debian already disabled the AJP connector by default. Mitigation is only required if the AJP port was made accessible to untrusted users. Checksums-Sha1: 679a0025d1ae244cc8b5de63edb5ce44ef419273 3101 tomcat8_8.5.54-0+deb9u1.dsc 8de4d5b538a9b5464e3c308e5eae0e1b602c99a2 3779176 tomcat8_8.5.54.orig.tar.xz 229167ed72e50b0f15154c316b6ddaa8beedf6ef 43204 tomcat8_8.5.54-0+deb9u1.debian.tar.xz 530f6d0042d14a2fbb85833da6f3b70fd2985a9d 243444 libservlet3.1-java-doc_8.5.54-0+deb9u1_all.deb 071d868895afe960292fda2b40e8cb08d98da044 402978 libservlet3.1-java_8.5.54-0+deb9u1_all.deb b7e0f645212541747aaed402f7fa89dc54a4e0e0 4104550 libtomcat8-embed-java_8.5.54-0+deb9u1_all.deb 7f73545388f82a99c07ea93e06e3dfea6290df9d 5361118 libtomcat8-java_8.5.54-0+deb9u1_all.deb 55479292bc47f0714b6d794d4208150bdf508f55 32660 tomcat8-admin_8.5.54-0+deb9u1_all.deb 7b9ce85b350c5b40871729271a24cdb28d5a5f68 66968 tomcat8-common_8.5.54-0+deb9u1_all.deb f740af4dada90ce1ecb133886a5e085c68cb2fa5 690548 tomcat8-docs_8.5.54-0+deb9u1_all.deb d427e9020f6bfb4c8d59ca71ab8646d5ea3e8737 189450 tomcat8-examples_8.5.54-0+deb9u1_all.deb 1be248775a2b7f9b17760548cdc9b5934862ee43 41118 tomcat8-user_8.5.54-0+deb9u1_all.deb 8335933a88badeb59532982d1b00b7888c238f31 53278 tomcat8_8.5.54-0+deb9u1_all.deb 796ad7493a3134fc50580b849f1071cdb04b656d 14603 tomcat8_8.5.54-0+deb9u1_amd64.buildinfo Checksums-Sha256: 251d42c8daa37cb2323bb7163841dc09929e6e84d3cbc77a4eb06d4d046f13e4 3101 tomcat8_8.5.54-0+deb9u1.dsc a7733123c889b44521fbfe601472ffd5fe1109ded465aa10df6ab20569beddda 3779176 tomcat8_8.5.54.orig.tar.xz ed8676649736b504e3b5a64ee74a31612d55633e2cfb12caa1c64483293ba08c 43204 tomcat8_8.5.54-0+deb9u1.debian.tar.xz 338e11522b42ee66f7b837e425ff079e9ca6e8301b0763e35cade50fc80adb01 243444 libservlet3.1-java-doc_8.5.54-0+deb9u1_all.deb c64e3cb52795845ba6f0804bea41ff79ca37b7ea6f9b6b7297a28db25890d5b5 402978 libservlet3.1-java_8.5.54-0+deb9u1_all.deb 17bfbbfea310ee3d08d54437152c0f23e686953ee2a8ee70f4469c9a5353f3d2 4104550 libtomcat8-embed-java_8.5.54-0+deb9u1_all.deb 3f9ca4f569a06a3fa77924a68a93f7d2ef2bd7e9b1dcfd35d46ac825664d4705 5361118 libtomcat8-java_8.5.54-0+deb9u1_all.deb ca8b952a5c90fbb9dd7fe4fdea41cff030de6d6409170e56ad291f5e9f39ad11 32660 tomcat8-admin_8.5.54-0+deb9u1_all.deb 18346d01281dce888b52b7a783d1d2ea3f492999a7a51f460b355e0d7a797529 66968 tomcat8-common_8.5.54-0+deb9u1_all.deb a46ff66c15e1cf0790d6939256956537467e88863cc74594dae1850c38a15fc1 690548 tomcat8-docs_8.5.54-0+deb9u1_all.deb ba0077b08e02cb3219e7355ffae9884c7c1983dfaace27df7cc0b31a865bfd6a 189450 tomcat8-examples_8.5.54-0+deb9u1_all.deb baa75ed819ae091f0069877214fb234bd103c246e300f871bb32b6ea382ed791 41118 tomcat8-user_8.5.54-0+deb9u1_all.deb 92795211cd2a8d30fdf3efc5ac517463dfe558745ade0be2652dbebf0414231f 53278 tomcat8_8.5.54-0+deb9u1_all.deb 563d00cdbcc77514837ce6e7c2f1bd9014fb91ae4b63ea233a6d9cc5322c6b71 14603 tomcat8_8.5.54-0+deb9u1_amd64.buildinfo Files: d2770b2e6e8d395c081a80ac774883ae 3101 java optional tomcat8_8.5.54-0+deb9u1.dsc 389adbb82ba032062a3241eb66969753 3779176 java optional tomcat8_8.5.54.orig.tar.xz fdf87daa3a7f25b9872f0491a8bae571 43204 java optional tomcat8_8.5.54-0+deb9u1.debian.tar.xz 38d4118ee45392b6c823ea4525dbedc3 243444 doc optional libservlet3.1-java-doc_8.5.54-0+deb9u1_all.deb 4697427f0b9a0cd8404544e767e5ba1f 402978 java optional libservlet3.1-java_8.5.54-0+deb9u1_all.deb 21255ce3c011578f01361927883b2482 4104550 java optional libtomcat8-embed-java_8.5.54-0+deb9u1_all.deb 7628860d803c3ad91039f73c1f0c9d2f 5361118 java optional libtomcat8-java_8.5.54-0+deb9u1_all.deb ef700424348cace1473f8050b6819233 32660 java optional tomcat8-admin_8.5.54-0+deb9u1_all.deb a50a5b1af2fb5c8bca192ec5207d1677 66968 java optional tomcat8-common_8.5.54-0+deb9u1_all.deb 65c5f5f406be1536596a2cee31f2f1aa 690548 doc optional tomcat8-docs_8.5.54-0+deb9u1_all.deb 0fa4a50f706bf32e6439033981376b32 189450 java optional tomcat8-examples_8.5.54-0+deb9u1_all.deb 37399b7ede83bdab307b20600e399804 41118 java optional tomcat8-user_8.5.54-0+deb9u1_all.deb 266007c914f66839f6cc92df0d61a42d 53278 java optional tomcat8_8.5.54-0+deb9u1_all.deb 25161cce2195659b87d3e7d87479c462 14603 java optional tomcat8_8.5.54-0+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl6kUqxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkpeMQAKdL//CgJKA25eQLrLImx4godf6l2zfb0Kxj KVbmc6vatsq3zl+UqR6gTnn4xWsWsr2B+pJMA7JgH1bn7pBg3KnPNhd47jZip1/g /Hta7dw25x1fSRwyiAdGyp/IqX6vZhoa/zgq5lBfAGLew9wkT67c55y1yYOCb7CA dHrSXS/GIYq90OYm/KvAbj+M2redplTbfjsMnm+lZMEckZlbN2JJGD5BzyCZ7+Ez 1J1sUcqqjKgVA4d8OM85QD25f6zFKWy8KLaiqSWXVIrG82aq+aDZoCkn7TbZql+z Y5ZPmTIzhmsXN7MOQoOcp1wqquVZp5qeiziBAG07Fa2QN4T8+QxLbtKWloxpFMRX yQTiYaHBkDI1E1w1zsmLUSjGjKgV8y1G0Xh4Ncj/BR7Frzc3Zf+yDXhLFZtU6U8d 6FPRx63BO9TEMKeSEDF+BZFz+UXGU1Tnz1Pyn3NGmTjZ1cTT3jMXg7i00mnaRoAO Wiy+mvNP5MFRtHeLAhZqmTLUbrKg/yvdGlgZiAVabnw5M+a7pIGXFnDfiz1qvlG9 AoinUEAyNKN7ZXvm6K2lnXtbPIUDStSMnL1bImjtjQESq1ZCmGS8xUw6nA7W+8dy Q2lmJpo6jXKwAGQ3q/7q+DtVFgxej2VHwapN6QxPYUTma+PrHlQBiLpcBszqX21L bkLbp86/ =yVWm -----END PGP SIGNATURE-----