-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 06 Mar 2018 13:00:42 +0100 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.28-4+deb7u18 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat7 (7.0.28-4+deb7u18) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-1304: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. * Fix CVE-2018-1305: Security constraints defined by annotations of Servlets in Apache Tomcat were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. Checksums-Sha1: cf3fc9291193e803c4cc93af99a18abf230950a7 2799 tomcat7_7.0.28-4+deb7u18.dsc 5a8591de023ca5bddfb8717526158a3b57939c6c 211489 tomcat7_7.0.28-4+deb7u18.debian.tar.gz 78346135b56831de5b0683964e2f0c0182cab332 67776 tomcat7-common_7.0.28-4+deb7u18_all.deb 1f96feb3f005b989c977d6919f37e714de5f9af4 55104 tomcat7_7.0.28-4+deb7u18_all.deb 4235af51eb94ac5560a65d25d9e32fd869325584 42816 tomcat7-user_7.0.28-4+deb7u18_all.deb 2d3ceb948d481869810882decfea2652e0e1b2e5 3517154 libtomcat7-java_7.0.28-4+deb7u18_all.deb e75c7fc2feb898c853c60c8c9b687388e154f456 309252 libservlet3.0-java_7.0.28-4+deb7u18_all.deb 8f36a61434c21a13427362256966a94de88ec6c1 322800 libservlet3.0-java-doc_7.0.28-4+deb7u18_all.deb e6fcc40a16f3aad643a9a2f3cf8744cd72f67d20 55470 tomcat7-admin_7.0.28-4+deb7u18_all.deb 0a7dfab27afd0757724408c8717b2dc1d017cfc1 208410 tomcat7-examples_7.0.28-4+deb7u18_all.deb ef20ee83ad5800c9503ebc813f1bbcedc2112e16 657728 tomcat7-docs_7.0.28-4+deb7u18_all.deb Checksums-Sha256: 384a74621396a33d170835dc2aa8a19dcda75e1ccd4b310706c40ad084b2349e 2799 tomcat7_7.0.28-4+deb7u18.dsc 7cc9297d8b6f622c18dbbe1fecf89982393da8c5610621c39be5188f19f26488 211489 tomcat7_7.0.28-4+deb7u18.debian.tar.gz e1504e75eb4d75cf56415e9f4f4b766d7246ed4385e5325759d382a9e898eb1c 67776 tomcat7-common_7.0.28-4+deb7u18_all.deb c90b2939018e4192cf1afc7883bb66f45d5ec5a071945a0e923c35aab9a3de0e 55104 tomcat7_7.0.28-4+deb7u18_all.deb a61421f49bf9f2c4ae8f61eb237deb529986aca688443cbda144f774063cb31b 42816 tomcat7-user_7.0.28-4+deb7u18_all.deb e63c4a4825dda756ccaec01dd9fde1f57064afb2504d85f7a6b5ec7d9e8ca8f3 3517154 libtomcat7-java_7.0.28-4+deb7u18_all.deb dbe90e6ba786b1025c88152c26cf08ca9385efd90ae11726590162a5c6c964d1 309252 libservlet3.0-java_7.0.28-4+deb7u18_all.deb 890941c5fa2b82639a8f8a7354d03c9cf02e05d0881b7d55adbd5d7c1ceb420a 322800 libservlet3.0-java-doc_7.0.28-4+deb7u18_all.deb f9e1d512f4df39d4ead75006890a8c4d78ef6f24549822a6b2a436bbc44584e1 55470 tomcat7-admin_7.0.28-4+deb7u18_all.deb aec9b07fddd2115139dca292900f58a8d50eb8d132f4cfe74bb34467fa319214 208410 tomcat7-examples_7.0.28-4+deb7u18_all.deb ca204d6aa65a14aa4da8a74d9145df6d0368895f210a798124f6b12eb4fbd6cf 657728 tomcat7-docs_7.0.28-4+deb7u18_all.deb Files: 108cb8d6a775c7206c75ab1e7793a767 2799 java optional tomcat7_7.0.28-4+deb7u18.dsc d24d93f67250cd9f9c1ccafcc7cd5d0c 211489 java optional tomcat7_7.0.28-4+deb7u18.debian.tar.gz 6b27070d42cf5514fc1abb3a73a489e8 67776 java optional tomcat7-common_7.0.28-4+deb7u18_all.deb 3b59d0aabee5e7e4d715fd25f44bbd82 55104 java optional tomcat7_7.0.28-4+deb7u18_all.deb faceefa75dbc655fe4b910fb86ba79ef 42816 java optional tomcat7-user_7.0.28-4+deb7u18_all.deb 72fabc09e20de073124a4dbab1625f3c 3517154 java optional libtomcat7-java_7.0.28-4+deb7u18_all.deb 46f60a3d9235ad5280c2275c6ed8ee7d 309252 java optional libservlet3.0-java_7.0.28-4+deb7u18_all.deb 68ecf44b91b3d4ab42897f7bfe01b168 322800 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u18_all.deb 4643c902e6b65913f3ebcdde7f07a923 55470 java optional tomcat7-admin_7.0.28-4+deb7u18_all.deb 8b139f6689f57d562f430b44fea731a7 208410 java optional tomcat7-examples_7.0.28-4+deb7u18_all.deb 947873f82abb314a10bd1b97fbe97250 657728 doc optional tomcat7-docs_7.0.28-4+deb7u18_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqeh49fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkH/AP/jVj1qdCxOjxRgsxcUmgkYFoM3pT1XHL3NpD DucfeY1kJqSyLIPUe/J92XVcCT417/zurMCToxctcGCt6hfaxokJY4EKyKIgu5jb 4TWF6KYHSzgzVekCa5MbQJJxXK1BHEF6VU56ZmpZLJDl23tQltBpqvRGXkPQDzuE ch5+govsdbGGNNZH46J+uDAkSIZPdt0HVxTtyVCDq/oMi8ZpPhYZYp/3eH5CWBbA GCicZsS14dm95GbxOq2inpBjXPsEwjbW7L4WcYY1mmEZCPlBJFhxRLZDbOKJR1Lh 8p20g7NuoFRfvXO676UGUEVPadDlzBSNDbfT6DvF8OxohSAl8QlVi2asyVUJ7xaS Qk4RzhB3606NeO/FpiEpe8TQdv4ITBHNn33PgHHftXdMc6fGb7ub9BqG/+z1z+rt LQwnh3mapk4RWLSYr7ZXHiPJPSSJz06DtHiJ1EFPKh/McSIGaZLoB+cGSUTgPUpO trcUSex8orQRW91R0kj+ofA/l1JitZN6szWJak4zaRv/GgKN9+Twu4cKrnmTswem EQiN8vl56WLEYNH9JutpC6pmgpCstUitYjKqXHIlkggNhQOMDnAqvffHmetPsdLC Yjrj354HESMZBbF2fLjmPRM6KktjRqViQhOtnJbuRCChZ9Inqe4H4s/V6d59saDd l881q8uG =rwKu -----END PGP SIGNATURE-----