-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 28 May 2020 18:08:54 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.0.14-1+deb8u17 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.0.14-1+deb8u17) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. . * WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a working AJP configuration. The option secretRequired defaults to true now. You should define a secret in your server.xml or you can revert back by setting secretRequired to false. . * Fix CVE-2019-17563: When using FORM authentication with Apache Tomcat there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. * Fix CVE-2020-1935: In Apache Tomcat the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. * Fix CVE-2020-1938: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Previously Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. . Note that Debian already disabled the AJP connector by default. Mitigation is only required if the AJP port was made accessible to untrusted users. * Fix CVE-2020-9484: When using Apache Tomcat and an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. Checksums-Sha1: 91e5cd9b63f82fe51f4808ff7053b9b8ed66215d 3016 tomcat8_8.0.14-1+deb8u17.dsc c84579820bc38c800b4956d41d9e1abaaf55798a 101656 tomcat8_8.0.14-1+deb8u17.debian.tar.xz d76d6fe7e9dc97496639c03648a9bfea5bfed1e2 61012 tomcat8-common_8.0.14-1+deb8u17_all.deb 75be1b7cf4376404470ba31ed4457b7ce1f390e2 50394 tomcat8_8.0.14-1+deb8u17_all.deb 94d11e24d2ee11d575b2b866ec16ed7ff8a9a839 38064 tomcat8-user_8.0.14-1+deb8u17_all.deb cdb45df3d2ed9991c344a5bac9b0e2b32061c2e9 4598210 libtomcat8-java_8.0.14-1+deb8u17_all.deb 0602497377edb609c60c3169925deb3cedbe1a36 395340 libservlet3.1-java_8.0.14-1+deb8u17_all.deb cc8404aa927b523f259110de67aae93ce3d90a3e 251020 libservlet3.1-java-doc_8.0.14-1+deb8u17_all.deb 29702bd6ec07dc0acdc613c2d89ad3a6cebeb503 39266 tomcat8-admin_8.0.14-1+deb8u17_all.deb 4fba576cdb0dc13dcd1d735475bad17555a66668 197352 tomcat8-examples_8.0.14-1+deb8u17_all.deb dc132888e5034e0440ddf4facfb61fb4fe75f201 692626 tomcat8-docs_8.0.14-1+deb8u17_all.deb Checksums-Sha256: a28afbdda9a283bfb422e6ad421d143ffe2ae903d5c6e555d7af1bcfd903995c 3016 tomcat8_8.0.14-1+deb8u17.dsc 28342a708f0f27b5ec3223978aad137b388115890b92af192f4e58ee884daa4b 101656 tomcat8_8.0.14-1+deb8u17.debian.tar.xz c5d1f093e67b8f9791571fb3ca63d20b21f42aac9ab9f4a12d33bddf89ced54f 61012 tomcat8-common_8.0.14-1+deb8u17_all.deb 6a07aec7538327e69c11fe23ede8f8bbc13f896d0ee01c0dc718c86b6fe0ee9b 50394 tomcat8_8.0.14-1+deb8u17_all.deb 61018dffbb1b97e9567c5304aaa2aa3d96c3c4596765c5789cddea7229f633fa 38064 tomcat8-user_8.0.14-1+deb8u17_all.deb b140b2a7a7a5a40cc4492289a278ee9686c1c871a6e9e6c603f5af00864268c4 4598210 libtomcat8-java_8.0.14-1+deb8u17_all.deb 42f67710d351b35bbc5047187c1ce1d11f2564c4e0c52bb6aa33e2281d3e6c3b 395340 libservlet3.1-java_8.0.14-1+deb8u17_all.deb 4a809c513470d0063fb0f66979a10aff5320022b9d261ce95fdd7762ed7f115a 251020 libservlet3.1-java-doc_8.0.14-1+deb8u17_all.deb 27b5b1be3f77ddfcad6d55814b811af8827a8d45572cd12692f99eb0a708da36 39266 tomcat8-admin_8.0.14-1+deb8u17_all.deb adedea16758ff48565209bf2862a387f5869d83868a03198c0b0aa34797e7731 197352 tomcat8-examples_8.0.14-1+deb8u17_all.deb e1c223b5ba20679c74180d3d5e57c83d3ae81061ee8c61af092f401275349588 692626 tomcat8-docs_8.0.14-1+deb8u17_all.deb Files: be6607e79e97a3723390426c37433fa5 3016 java optional tomcat8_8.0.14-1+deb8u17.dsc 98d08f5023ab2b8d1e8a5d6656a20f8e 101656 java optional tomcat8_8.0.14-1+deb8u17.debian.tar.xz 4e71995ed8e518f018246c5705090733 61012 java optional tomcat8-common_8.0.14-1+deb8u17_all.deb 29eaf48908a631f7e64bbb2417ee7280 50394 java optional tomcat8_8.0.14-1+deb8u17_all.deb 28f7eb85a879e7b5a8d9d8195817d6f9 38064 java optional tomcat8-user_8.0.14-1+deb8u17_all.deb 6ce2d7da4425c9c6cd33950d95c44626 4598210 java optional libtomcat8-java_8.0.14-1+deb8u17_all.deb 5d1b67089fd94eba8e8622b0d03710e1 395340 java optional libservlet3.1-java_8.0.14-1+deb8u17_all.deb 8e217b88d759a9ff475d47771ac15b08 251020 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u17_all.deb 6ab4572a74290b639ec7dd7f9b1d24cb 39266 java optional tomcat8-admin_8.0.14-1+deb8u17_all.deb 2328c9b5d489fb49871068f5e969a5fc 197352 java optional tomcat8-examples_8.0.14-1+deb8u17_all.deb acb0c5a72642baf566312d0acd8dd731 692626 doc optional tomcat8-docs_8.0.14-1+deb8u17_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl7P6/tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkxK4QAI938ZI2g/oDdiWe1lbhgrNcaFtTL89gawAo DgFTgoQj4pDVsjCsTpyfjxzsY2vzX45shR7C17E7YJorjNIHyIKyXU6nCzsvzkgX 1fSNcQ+8JmMz6Njz7NnMASFyKYYgw0oFMEwzhN6IKfYeacJtkqNJvYIhfKG27RDe mvVo/VZ7AxC7nRftMzrTitOrDDOrImaXTXtSn0BwWetCsh5DklTJEX+PsiSJiweP Ppl3l+hLCX9lLzdVS45OCSKUkfrfxXOEqKd2E4vlHWhyACkAkgau23sveMLxAET+ Xuz6T1SGl8pYVN3EomNGKL7DPvKG0rRzezkZt6t0PiUH3cMpvonnyNb+A/qCg8ml jiljC9roluQRYfM0d6Gz+FuW8x0gTo4Mwzb2F2go/yilfFyD7mGl/XJuxyuawOYa LpPBpuJ51qxztWCYPATttcIViQL7vC6E4WmAE0XWN3nMBS3KBUA4BxY7/iQXmQgg YDqn1mSuGOZ7o4liS8lKKNvFNnapVWL7//OMNw/uExWGX+CMjRxLqWIIIwaBbivF enRqcSnhK1WmAC0que3uY6kGm2fpI/LaDB1AelqPONEyRPPwMoYh1RiC1IgNgm/O SBMQRtBwBvLO+fIPKDsndeCYsYH1jmrLrRFP8DqBd7fzLBdSJdrcUHIemro7YHam qWmr3hbA =smoz -----END PGP SIGNATURE-----
