-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 22 Sep 2021 21:46:16 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source Version: 8.5.54-0+deb9u8 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.5.54-0+deb9u8) stretch-security; urgency=high . * Team upload. * CVE-2021-30640: Fix NullPointerException. If no userRoleAttribute is specified in the user's Realm configuration its default value will be null. This will cause a NPE in the methods doFilterEscaping and doAttributeValueEscaping. This is upstream bug https://bz.apache.org/bugzilla/show_bug.cgi?id=65308 * Fix CVE-2021-41079: Apache Tomcat did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. Checksums-Sha1: 147b6d9908e2f62d2fcda4ebaa5f1306b06c56c2 3101 tomcat8_8.5.54-0+deb9u8.dsc 8560a7b225a264da06de3bc1bd64b14d7327a15c 56976 tomcat8_8.5.54-0+deb9u8.debian.tar.xz a65885a46e10988e57157c659cea7839b05ba652 14702 tomcat8_8.5.54-0+deb9u8_amd64.buildinfo Checksums-Sha256: 461c9afd9d508cd2367f259a5955c8512488d47f19bb65c81df9ad011ffdfd45 3101 tomcat8_8.5.54-0+deb9u8.dsc 07b0b2f40e161617618a505262a770529cff2e2e5770e26e3ac178ec7f27a290 56976 tomcat8_8.5.54-0+deb9u8.debian.tar.xz d70ca1320cea70d4c455d347dd84311eba33ee56cfc8e2e73bfd4aa893f7518b 14702 tomcat8_8.5.54-0+deb9u8_amd64.buildinfo Files: 566d10148d578b047410d4e9eb001b83 3101 java optional tomcat8_8.5.54-0+deb9u8.dsc 6e530cd7f3553d5ac3c16aba655712a7 56976 java optional tomcat8_8.5.54-0+deb9u8.debian.tar.xz b1392b85fa6cf502c3ed0fea486436c1 14702 java optional tomcat8_8.5.54-0+deb9u8_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFLlQlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkFi0P+gLPiKpgDkNixajE6fVBg0vGtPJtUpgalStm NBeFk8jirBxAyVX5zU+x9OrCgYHDyq3Kxlhw3z+RWtjyUCnVktidiQ+oavfE5xMJ KGDSLpJm0geJc8wrYMtLAIsTKK0UOPBCQ9a3An5bl4CBgeDoKRL4pP9+FEqWfB/P E8bMrJPA0v9Tv+bwomYso1K/vl+V/UPRXG7bUzc/xZ5oYS2upwVaXb/iEYc0hdpA EibdcCrraSrWZ0ItBva9jgMPNKboFXADLNZ0jTxfWLspdDOQ1XKSUqKIKtNhSKKD TFm6sqekqkOEBy0DXPD9sGVIys+Dhl3rQNPdTSwZcz2IxjbggFoArRlHSXCMhdWO xXf2t6cg3nF3+t5SlUtm7In8paw33wC3E340hAeHSYr3abc6ODCXwRojK74b1t2P zZEUo5RBr3TmrhnSECqIWu1C8yQG50J12O9/6u/NRzL1C9JHYPxlxatKFRCNqSpH 3Qd2RJt/WeMCge/NJC4XFSsAo2Fz8QXdvxNJ8++KF04YIAWeQNX3//mdDmkxM4UT CM6cFBMxHpx6otRNn55ght+oKFQyrNl23K1wvgZzIbWQB0Cp/mwtPUFxbnPZxGzP +moVkC05PKe18lZHLR9hjmtBN9DvLT65I22E/ZvXVH3xxGCJBsIEjzr2LiW99+Zl J0BIhZHn =ZuYj -----END PGP SIGNATURE-----
