-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 22 Jul 2018 23:07:52 -0400 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.0.14-1+deb8u12 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Roberto C. Sanchez <roberto@debian.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Closes: 802312 Changes: tomcat8 (8.0.14-1+deb8u12) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Refreshed the expired SSL certificates used by the tests * Fix CVE-2018-1304: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. (Closes: #802312) * Fix CVE-2018-1305: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. (Closes: #802312) Checksums-Sha1: 95157d89b535319beeffe0585027e93efc56bcaa 2891 tomcat8_8.0.14-1+deb8u12.dsc ef69d65587de8804f09af3eaddcf6090980bb4a0 81512 tomcat8_8.0.14-1+deb8u12.debian.tar.xz 578747f921860224294d656a4cc142830eed7fec 59154 tomcat8-common_8.0.14-1+deb8u12_all.deb a6bf2c9e70bdcb22864cb72458e724483afb7b7b 48620 tomcat8_8.0.14-1+deb8u12_all.deb 592fa6110b851217033a8cbdd6c75ad059628e98 36242 tomcat8-user_8.0.14-1+deb8u12_all.deb 418cae3425c594d4ec771d321d945f3b85e5be23 4592694 libtomcat8-java_8.0.14-1+deb8u12_all.deb c2eabf42e7d4803f30d1a22c3dbd4c2a0bef5255 393588 libservlet3.1-java_8.0.14-1+deb8u12_all.deb 189f6c8e45f03d6052f53e078bc11995db1b525f 248676 libservlet3.1-java-doc_8.0.14-1+deb8u12_all.deb 163ff9d1317da7b1d530527b216baf2402f0ac7e 37562 tomcat8-admin_8.0.14-1+deb8u12_all.deb bb53e2b9ca7c2a313bb4c629772c74f62a227cfe 195376 tomcat8-examples_8.0.14-1+deb8u12_all.deb 300f9c25f48e159a690077b71625834587dbdcdc 689826 tomcat8-docs_8.0.14-1+deb8u12_all.deb Checksums-Sha256: c4ba7e104215e5e4da8b285f6c145479b90d67f2f5096368afa9ad994d360fba 2891 tomcat8_8.0.14-1+deb8u12.dsc ce3326c601ca4b17d34c47c989804ce64ec61cccabbff86355ef806e8bada429 81512 tomcat8_8.0.14-1+deb8u12.debian.tar.xz 979428e6b80347bf3b85d4d8798aa51328de11c23f590ec1cb7b1e39e0fd9ef7 59154 tomcat8-common_8.0.14-1+deb8u12_all.deb 79c922be06c36478d3fd7ddf9c2d4fcbf5be4c78e7365e302c6e3adcdb7d8fad 48620 tomcat8_8.0.14-1+deb8u12_all.deb 14d0693d85cc9942421566aa429a2a2736a0d9e388b06417b70cd55a0cdbb0fa 36242 tomcat8-user_8.0.14-1+deb8u12_all.deb a9363f9d67a2b000703ce270506cd711934f622c5c3f3029981ba18820e29eaa 4592694 libtomcat8-java_8.0.14-1+deb8u12_all.deb 7ae2fa432f2baa90b3e270cd8c8a0c15aa707bb50aff48ee99091d4efa7cdaa8 393588 libservlet3.1-java_8.0.14-1+deb8u12_all.deb 665fa28eafacb89d61971f6154e141da79a025c34ceb49f841a31b56e7830fb6 248676 libservlet3.1-java-doc_8.0.14-1+deb8u12_all.deb 311b34cac98abfed228d7d088b592dfcb01389c05397640e9db68d2783fde731 37562 tomcat8-admin_8.0.14-1+deb8u12_all.deb fd06c0d8ab2ddefae9054f8da6f92a056db33a2fbf1d893e2144b5ec27660011 195376 tomcat8-examples_8.0.14-1+deb8u12_all.deb 7f54baeeaca31bd60eb4b9477b23f20a29e35a404ae2019b711d435c01d6a097 689826 tomcat8-docs_8.0.14-1+deb8u12_all.deb Files: cd573dc9c208d57de05508cc03900fe0 2891 java optional tomcat8_8.0.14-1+deb8u12.dsc f93ed485bdfb18f5a6f1f4fdd3566e86 81512 java optional tomcat8_8.0.14-1+deb8u12.debian.tar.xz 8b8d8a37cbe3e5dc21fc47cb29e28878 59154 java optional tomcat8-common_8.0.14-1+deb8u12_all.deb 7fff71a2b6bc916a16c15de949943f4c 48620 java optional tomcat8_8.0.14-1+deb8u12_all.deb 90440d13662da501a42f89c73e37d6e7 36242 java optional tomcat8-user_8.0.14-1+deb8u12_all.deb 761062cc57b0f0fe323ae24c2102106f 4592694 java optional libtomcat8-java_8.0.14-1+deb8u12_all.deb 587e60208676526305d77a612a3eb9ef 393588 java optional libservlet3.1-java_8.0.14-1+deb8u12_all.deb 91f8e0e07f4c02aeaa7c59a77565554c 248676 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u12_all.deb 48b3300e9f0d35557bf0a65d60a28e51 37562 java optional tomcat8-admin_8.0.14-1+deb8u12_all.deb 6500f4b1c1ba706716417ee6e338b50d 195376 java optional tomcat8-examples_8.0.14-1+deb8u12_all.deb 960428f85fb68a316aff381c2c15695c 689826 doc optional tomcat8-docs_8.0.14-1+deb8u12_all.deb -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAltdV/wUHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb2vRAAwzXxX3GHqjryF78LRp48+9ZXrbOk L1LvCkFB0TiQ6O/5v0ws07ji6n29Q/4vGPXTCj77C1iLtN7FuBMmthOOEZ4Jn2aM F9dM1X2awcLmTZmTiFqG1gtpsIUeZIUl7aocisHlMqYhj0hlQfYRCufMY6jIMaMt xnZ3rQFKB/grMzzGgly16vZklrflrYn6OLUsL0t4wjrn4MU6o2yhs3pgbmGF0cVy Twe+zxFUuYHxt+l1VnTwJtfUNKzm0YR3UuBCewL3QvOLomNGuHOI7ADh1oamAvId FG+JZCLpsqtTpviVK4CIrNcDmHp8IMKq9E7hBrer9bOCZA+nCJcz9K1zoAUiYcCP f1D4lvcyNqqcFaeo57XWcjmlnfsmAR7hSAAxB8vwBpCfJaK+kinRQIuSvirbriBn L+6wRnEXoaKDFFLpRqIuSa9Xk4I7RBbeKdGJs8N+EkrhO9DF5G9dB89BHvrfoKU4 4AN8eudX+IoDMvnGeqVyk3FQGQ8JKFjd0DWyM0JMmGCqkhLTwVPXB2bIF3PmNW6E iijRQYtxJZNIngxQIlXaUcwrdYT77AvaNQlF9/spmTyZUecRCP4VagiEj3BQz6/m d7iqYTaqcXj/vVeE2dfC9YwAaToWS2uFXsYHuc0Uec26X24o/u8kDh34UZzBoOoT IsL1wtkHF1RHgR0= =szQo -----END PGP SIGNATURE-----