-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Aug 2021 20:01:42 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source Version: 8.5.54-0+deb9u7 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.5.54-0+deb9u7) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2021-30640: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. * Fix CVE-2021-33037: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. Checksums-Sha1: 95acf56ed6bae14b880ee0db136eadb9ded990e8 3101 tomcat8_8.5.54-0+deb9u7.dsc 16425009d02faf726c138b9355fa615f4841cfe7 56184 tomcat8_8.5.54-0+deb9u7.debian.tar.xz 707148b9225a461f71f78fb13a4588078e7a432b 14694 tomcat8_8.5.54-0+deb9u7_amd64.buildinfo Checksums-Sha256: b527c66d72a9d98aca0d6f0cb33baa23fd2738fbb9e44380b534bd020c7deda1 3101 tomcat8_8.5.54-0+deb9u7.dsc a5131d359562855bd7606d483d240850036add7a171d6f4aef0e6d6e02184b0b 56184 tomcat8_8.5.54-0+deb9u7.debian.tar.xz bb4c9cfaedf539aa5739557f85a5692e1050a84c848de6cb99022c2c4974eac7 14694 tomcat8_8.5.54-0+deb9u7_amd64.buildinfo Files: d301aefcfd3b6e66c810975770320fff 3101 java optional tomcat8_8.5.54-0+deb9u7.dsc 330257f5e01e38d3fa11192fabad395f 56184 java optional tomcat8_8.5.54-0+deb9u7.debian.tar.xz 4625ad3a96a551ef32de9e136e021f0f 14694 java optional tomcat8_8.5.54-0+deb9u7_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEMRcRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HksEQQAM9jS1hgFtkNp6VxN+wIzllcaVqmSY47KK5F 3Xv/oOhuEQ/UMnw95Qe2nMvFROqfhulz6hCb4VVHBzGSF9kNerYCSu71830JP2uL IDb74w1kTcn+RJo9BjYeke4qN90kgUI6yxxuJh/7GdRAghKdp5hlyCQ9z0OiT3uH 6Lei5vOEXyzz8Uq9ynz1EpvxmItIfN2ubpSDS9qGjqr4/hbSGY0QDNivszaGlLHF RO9lASTWXpiUymS2JIB+gSVcknIvmV8zjBL25IL5StXOdrEhc/lkiUnBTpRTS4b3 b9FIx3/AqRleA+YYy4qP8a1+uIzD2DTYXlF0FOFPYxZ10PFKTqqyT0ECaI8VxrTV PKbnUy1zyHBa7xSfPVOCWjFBBZLn7+XMG1JXQ6W4/FTBqNBMCJ8AWJLXxysvcm+S jihAZyLAakFx/WP1NneLQf+CUnjCzhhvdZ9SXA4rvup7oUEtNaRa4GLfUuJP6cM6 5pK9HRjpAIQUW5RNOZWfnHxS54VfW8BOOEJybd+FfEK7sRYtBbq5GFPwpImL7Znd 2Mp0W5KBIbkGt4tUvTPliD9RdiTCkMJ/C2KpTBOW3dG43v2Xqy6Ra8e6W2D53xhX KDCyp1M36V2rRcSpGBWuh4KDInQ+Tj4iSg/IAcUYIE6hfBR2haLAWmoabLH1ucmw 5Ecet/yn =cXSL -----END PGP SIGNATURE-----
