-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 12 Apr 2017 09:58:46 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source Version: 8.5.11-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Closes: 860068 Changes: tomcat8 (8.5.11-2) unstable; urgency=medium . * Team upload. * Fix the following security vulnerabilities (Closes: #860068): Thanks to Salvatore Bonaccorso for the report. - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. - CVE-2017-5650: The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. - CVE-2017-5651: The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. * debian/control: tomcat8: Fix Lintian error and depend on lsb-base. Checksums-Sha1: b07cfdae4c9833e73465ee434c1d4b706859cb39 3088 tomcat8_8.5.11-2.dsc 019f6dbd06a6327f57567244a2248353f56d6d3e 45956 tomcat8_8.5.11-2.debian.tar.xz 5468a9cd8386358fb683764f3d3f8f678d0a4479 13448 tomcat8_8.5.11-2_amd64.buildinfo Checksums-Sha256: ace4b04910808599fd769221054afea53b75d2405fb0cafe9918e5c74d930efe 3088 tomcat8_8.5.11-2.dsc 22d22c58d4448d185c166b5e6585d5955be6d41a4a27d4ec6f52f2b0f5279407 45956 tomcat8_8.5.11-2.debian.tar.xz b4f70d38dfb6687d340ab32f0c3690960ac1e0892dde3e7fd486c5647eaf236a 13448 tomcat8_8.5.11-2_amd64.buildinfo Files: 0f2c32cce9287214efbbfcbc02358238 3088 java optional tomcat8_8.5.11-2.dsc 09c42f3d51d3788d63a42cdaf11d2d76 45956 java optional tomcat8_8.5.11-2.debian.tar.xz e6048a67c2b73df2ff51f8da513029aa 13448 java optional tomcat8_8.5.11-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKiBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljuGNVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkFpwP8wRf3aHpIkAAYXJi/55HdfjV6fp576UaCsdl yQP6rHgyPjmZ3W7x5RaApiAVp2TfYIbeV7hG9CDc+PswTCkDViNkf8YBE3fkxAqD BbmLtGJi38kV1rq2hajuR6s5sdRvOphuX5EdaKp8/iMjutTMd9E0VWRIzDYb4nyf U9a4MTbtUxauJg1ILF+MuEEFHJ0sGyGWLHMKNs219jva/B7ILG+7d/oCST7Dlvny e/fNTW3N2CRUfIafrJFNNX4OFUlapHBqruWn4/SNW7mrx/S0tOv0i3OlVVkLO6F9 V/AiDptQe0jeg/QuNRNv5EykP/kxo2VKoh+/jNchcH0UadG9tG2Beu4BqlcXbs5M Tz/lPCk2Ee27yl3BmWJRVQcOxBMjIfG0yCepiTZS/saz9xyD2g6qSC8cgd5XT7F6 4DuKRj2q+RiriJ9HZonhl/qELh6XogC8IxUTi23+f9fN68yGJ83kvCi/+2T0rhqZ BQ/8QQXNvaWW3LW3W0MaQZnYLdUSf0TUZJCcZGlAm6cdFWizw2DDQfVGzcXlLNMH ralqKEiG/t3vFZftW2YysyyQraVNPz4LgRPHuRTnQ7wr64gachKNnXxOOIPDKbS+ 919NOIZ+KgXO4rrwI0eNQ4rH8CunRuOXaNocNJOoaarFSTW2ARPdFJoWEcqkxHL7 5OLXAF8= =hsJ8 -----END PGP SIGNATURE-----