Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted tomcat8 8.5.54-0+deb9u6 (source) into oldstable
Date: Mon, 15 Mar 2021 20:40:13 +0000
Signed by: Anton Gladky <gladk@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Mar 2021 21:18:04 +0100
Source: tomcat8
Architecture: source
Version: 8.5.54-0+deb9u6
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Changes:
 tomcat8 (8.5.54-0+deb9u6) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2021-25122
       When responding to new h2c connection requests, Apache Tomcat could
       duplicate request headers and a limited amount of request body from one
       request to another meaning user A and user B could both see the results
       of user A's request.
   * Fix CVE-2021-25329
       The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to
       8.5.61 with a configuration edge case that was highly unlikely to be used,
       the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both
       the previously published prerequisites for CVE-2020-9484 and the
       previously published mitigations for CVE-2020-9484 also apply to this
       issue.
   * Fix CVE-2021-24122
       When serving resources from a network location using the NTFS file system,
       Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code
       disclosure in some configurations. The root cause was the unexpected
       behaviour of the JRE API File.getCanonicalPath() which in turn was caused
       by the inconsistent behaviour of the Windows API (FindFirstFileW) in some
       circumstances.
Checksums-Sha1:
 10bcfc03798e49fe012d387cbff2b76ce61ad423 2950 tomcat8_8.5.54-0+deb9u6.dsc
 4114d45265829b2a3c4c841c2844f9f0d4530c54 51720 tomcat8_8.5.54-0+deb9u6.debian.tar.xz
 bc9407b8995bba74ad756b84b0a30ec3c9ed655b 7350 tomcat8_8.5.54-0+deb9u6_source.buildinfo
Checksums-Sha256:
 daea5051024ffebbb44b9f0bce580055f69c245502f431660a02b05eb137324d 2950 tomcat8_8.5.54-0+deb9u6.dsc
 60fc007b77b1bddbbee8d14e5dfd67e1d4f8d0c81de730915f251fc9d6aad0af 51720 tomcat8_8.5.54-0+deb9u6.debian.tar.xz
 c3d7487cbd41e989c5b7e9dd435a210c0144c290889a3cba067c042e0c44a534 7350 tomcat8_8.5.54-0+deb9u6_source.buildinfo
Files:
 343e4b6277025352c6a42d4b7911c9f4 2950 java optional tomcat8_8.5.54-0+deb9u6.dsc
 fb4a91433332fe44b0c350b31caae842 51720 java optional tomcat8_8.5.54-0+deb9u6.debian.tar.xz
 21b00200fba62abd6bac14371b5b1321 7350 java optional tomcat8_8.5.54-0+deb9u6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBPwzYACgkQ0+Fzg8+n
/wa/3RAAh5RokR1I24aNRCfTg05MfWK8ZKse4hEuADg8gwu9nO5IjUWB4QDk1BU8
langHfkyG7g7CkGYclw+IRWphWIIMVSZ8n2gaQcqqTTHnQDJdjmjC/kxc9ti7/5F
aDqk9Ib3bBKrV7g97dgNtQ1HWvNeyydhAOY4yUhSKpIV40G+CKf8UDNSnMjNo50s
9OZWVpibLEyv7PNu8TqhFmjH4rX6vhLgUcOvoHrQMEZOX3KmynqjjEfXxECTYQ6F
SEtGrdYZ6bq79dDwUJqEe8nqZKh7TWrKJAomiP3+vB3eFka5X7llHNnSmpN1z1Z3
70QYmpzaapobz9zaKgdf5yDEAtDsFlgnDvGwQdCWEC++Qs5Ry43J0R33jgP720Pq
kMDHRwQ3qgn+CHMd1oyXqqT/b4tNENNcyhQQ99SsWFeiw0ZhmfibkLEi2V03PyTh
L/SmBp+EdtLAFA6ggGuQkMUWjfo5e1LGi4mMdNVMyVFJvKUK27V53zPNXA7xn1KG
fiXZo/r1ti4SJIpeYw4UIPXwMFpW9v94i9FtvEn7bWpK/5FoFPbCtbzHZcKh162E
3qLQ9GLoweOVLVzHjC2Pc18JiKksUhhY+wmVRV92+LEPqYHUv3GGzRmnfHrtEUwU
L/gT0pC4yNXjyOdI43BSKt75bPxNcx4qRpg1uekZ6lOP5Aywp0k=
=k8fb
-----END PGP SIGNATURE-----
News for package tomcat8
