-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 18 Apr 2017 16:18:17 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.5.11-2~bpo8+1 Distribution: jessie-backports Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebourg@apache.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Closes: 860068 Changes: tomcat8 (8.5.11-2~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports. . tomcat8 (8.5.11-2) unstable; urgency=medium . * Team upload. * Fix the following security vulnerabilities (Closes: #860068): Thanks to Salvatore Bonaccorso for the report. - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. - CVE-2017-5650: The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. - CVE-2017-5651: The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. * debian/control: tomcat8: Fix Lintian error and depend on lsb-base. Checksums-Sha1: 3c66b3e19d99a85d7ce40ed1b6a272d39d917b63 2946 tomcat8_8.5.11-2~bpo8+1.dsc 5cfb784b62022e7380e1c86080558272ec19f577 3306200 tomcat8_8.5.11.orig.tar.xz 0878e3bb830425c0d31f8b42f75254e27a913dce 46192 tomcat8_8.5.11-2~bpo8+1.debian.tar.xz de3870689547912ec843f2ed39ebc1ae7316a078 62694 tomcat8-common_8.5.11-2~bpo8+1_all.deb 35d11e7207fcb291884c1e424b1c12240970ced8 51920 tomcat8_8.5.11-2~bpo8+1_all.deb 105f9fcb6d648ed5f92873460b63edbe194b3844 38694 tomcat8-user_8.5.11-2~bpo8+1_all.deb 9233f486017b67318a9a81bb6aafca2a50620528 4773300 libtomcat8-java_8.5.11-2~bpo8+1_all.deb 9bb3d47910e047746dac5b97b3b6af40d94c1c1b 3831792 libtomcat8-embed-java_8.5.11-2~bpo8+1_all.deb 6547cc17d32fe6345d38114fbf2beb1d89b8bdad 392868 libservlet3.1-java_8.5.11-2~bpo8+1_all.deb 1928b805da97e0325ae308afb43bc076efc0a8c0 252838 libservlet3.1-java-doc_8.5.11-2~bpo8+1_all.deb 8d3bc3cd4555e7243867d5afb7c3a0b9c422f4c4 33138 tomcat8-admin_8.5.11-2~bpo8+1_all.deb 3479916a69aae63082399a74da0289d9db7916b1 190368 tomcat8-examples_8.5.11-2~bpo8+1_all.deb a10f71f3fa50ac815545a07d9327567143b09025 676068 tomcat8-docs_8.5.11-2~bpo8+1_all.deb Checksums-Sha256: 43ae289887c8a0a1a7072812d5507af1b68c1c9636724c6c7fc9c4a57496e95d 2946 tomcat8_8.5.11-2~bpo8+1.dsc a56fb177974572521e849400d0cb1bf8d7ddccb55dd8157fda48befaaa792774 3306200 tomcat8_8.5.11.orig.tar.xz 37259e9b298de6eebdac79cc4c28f5e7b207556bc229b80129fa1d7f088bf81a 46192 tomcat8_8.5.11-2~bpo8+1.debian.tar.xz 50fcb19e753ca1a1c8acb888c56d35e57a836130429c864545ac7f4f04f75461 62694 tomcat8-common_8.5.11-2~bpo8+1_all.deb 7c572dc2ff13a74ba6a78960f46e6f19c1130ff8c6ac915f0b592a2dddbd1b48 51920 tomcat8_8.5.11-2~bpo8+1_all.deb 8a8d0e1b123b0e20321798474b8565adde74c884f537ee4a33ae4fa132833312 38694 tomcat8-user_8.5.11-2~bpo8+1_all.deb 291dbabfd6f9b543fbb7352a87f45169e34d2d27b4c8fa819b11e9c359ad5362 4773300 libtomcat8-java_8.5.11-2~bpo8+1_all.deb 9133e8ae22ac656ffac18f3d51bd20e9a35fce1faf0dd82489deb11730abca35 3831792 libtomcat8-embed-java_8.5.11-2~bpo8+1_all.deb 212a77268f8c7f621f3b9e9bd61a2b302b7644a2a4d4ce45ba8fd734239c927b 392868 libservlet3.1-java_8.5.11-2~bpo8+1_all.deb 5666b953172194b463706ab70d2941b39648675a09699469dae5470b3ead7c9f 252838 libservlet3.1-java-doc_8.5.11-2~bpo8+1_all.deb 204a19fb3dc930af7239e44a6fe30b560be1d5bbbd7ec205bee3b4bddea7e338 33138 tomcat8-admin_8.5.11-2~bpo8+1_all.deb 0163ecaf4bdcc049df9d8a1bcb75d606b502688eb6bea83d295a01b5bc3714e3 190368 tomcat8-examples_8.5.11-2~bpo8+1_all.deb ad9b163c9d5b5e6acc9793068537c75bffe44c2551b23f88bad99f385e0054d0 676068 tomcat8-docs_8.5.11-2~bpo8+1_all.deb Files: 83c16c76118e1e02f7d1f30228e6cdb2 2946 java optional tomcat8_8.5.11-2~bpo8+1.dsc dc2ae8d3af773b5adf0e23b2e61c58a1 3306200 java optional tomcat8_8.5.11.orig.tar.xz bc760918cf8e1f127b339eeddafa4af1 46192 java optional tomcat8_8.5.11-2~bpo8+1.debian.tar.xz 175b0b49764251fb26abdfe43ab9b879 62694 java optional tomcat8-common_8.5.11-2~bpo8+1_all.deb b932e51f040be8036e8ee2c02a134beb 51920 java optional tomcat8_8.5.11-2~bpo8+1_all.deb ec568cb3c09cffc774fe9b7f8f4c6552 38694 java optional tomcat8-user_8.5.11-2~bpo8+1_all.deb 939f253b2d33df15c71ba7905cd4f2c7 4773300 java optional libtomcat8-java_8.5.11-2~bpo8+1_all.deb 6a7746d56025605f8c0632e5b26a639c 3831792 java optional libtomcat8-embed-java_8.5.11-2~bpo8+1_all.deb 2a64986cf2752eae405574d90a35f820 392868 java optional libservlet3.1-java_8.5.11-2~bpo8+1_all.deb 0dc9bd265a066ece57b427e9eeacd959 252838 doc optional libservlet3.1-java-doc_8.5.11-2~bpo8+1_all.deb 15e2916695baf2a4d92fd119a7578928 33138 java optional tomcat8-admin_8.5.11-2~bpo8+1_all.deb 01ef3885cdc5da33a96d7bc41a445342 190368 java optional tomcat8-examples_8.5.11-2~bpo8+1_all.deb c81071950c1b9cbbb2b2131241706764 676068 doc optional tomcat8-docs_8.5.11-2~bpo8+1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJY9nFgAAoJEPUTxBnkudCsnG4QAKmk8Y8qSQcU3dcydeIrqqlJ I5J+GvNUuGxAeajfoklBKId4IaKoZtfKSBQf6OfPSXNvc9Ripz8d8OxiJtoV3Vyz Z35zy5qOC81UB/thH8qeJ8wuWJJ9V/iXI3KeK5F6ZWODo8eJS3PB08GLPSbRPH4o FBLf2ujkyW2opB9X/8GSoG7EOnXmiL2Gdt0WP/TZQWeD3qtq/Q+dz0Lng15JtHjZ DkKnApg4P3v8mvL4QvgctYtegJ74lVaBochK/pCI3i4LP6984GcCSBEkKQ6zsBsE YO6/c6v5O/0EXJNJu/6pP7Fk/ao9/TewFX1EP1Vpt8Hhrie7MDJjPZKErrDa3xIH YGuX7rtPJr0omCGBMu8WSd+O8vrSg5Bs0O2cuP6WDXo4ccVexrvDQ3TAHj6M6WW6 /cP7XXNWBMVXRyrGPw4FLxQc/EqRjoVrqIU8YZcHD/VuSx7v+vKK/iX/aQcSc1wA FbFyfW9Os3x6T9HFTWiG88jkLQoJHhhAw39MjLpnGjx5zhktiLmMSp5Udx4fgp3n vH0TjE9pdA3x6NEVpqJE+JoNetFY4UesUtF/KHlvKRFXFnhE3/HXxI+NEK42BY+a +yXDUd/sYS7bMYzTG0PkJzC9bDZKKiwH4ybxRp37QqhiXdXi/KuGzBG2tLiH5nlb W4PpodMSm+hv2lZ7GrCo =dAf/ -----END PGP SIGNATURE-----