Debian Package Tracker

general

source: tomcat8 (main)
version: 8.5.30-1
maintainer: Debian Java Maintainers (archive) [DMD]
uploaders: James Page [DMD] – Emmanuel Bourg [DMD] – Jakub Adam [DMD] – tony mancill [DMD]
arch: all
std-ver: 4.1.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-bpo: 8.0.14-1~bpo70+2
o-o-bpo-sl: 8.5.11-1~bpo7+1
oldstable: 8.0.14-1+deb8u11
old-sec: 8.0.14-1+deb8u11
old-bpo: 8.5.14-1~bpo8+1
stable: 8.5.14-1+deb9u2
stable-sec: 8.5.14-1+deb9u2
stable-bpo: 8.5.29-1~bpo9+1
testing: 8.5.30-1
unstable: 8.5.30-1

versioned links

8.0.14-1~bpo70+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0.14-1+deb8u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.5.11-1~bpo7+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.5.14-1~bpo8+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.5.14-1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.5.29-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.5.30-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libservlet3.1-java
libservlet3.1-java-doc
libtomcat8-embed-java
libtomcat8-java
tomcat8
tomcat8-admin
tomcat8-common
tomcat8-docs
tomcat8-examples
tomcat8-user

action needed

A new upstream version is available: 8.5.31 high

A new upstream version 8.5.31 is available, you should consider packaging it.

Created: 2018-05-06 Last update: 2018-05-27 08:02

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Please fix it.

Created: 2018-05-17 Last update: 2018-05-18 08:04

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Please fix it.

Created: 2018-05-17 Last update: 2018-05-18 08:04

3 security issues in stretch high

There are 3 open security issues in stretch.

2 important issues:

CVE-2018-1305: Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
CVE-2018-1304: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

1 issue skipped by the security teams:

CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Please fix them.

Created: 2017-10-05 Last update: 2018-05-18 08:04

3 security issues in jessie high

There are 3 open security issues in jessie.

2 important issues:

CVE-2018-1305: Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
CVE-2018-1304: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

1 issue skipped by the security teams:

CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Please fix them.

Created: 2017-10-05 Last update: 2018-05-18 08:04

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2017-11-21 Last update: 2018-05-27 13:46

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

libservlet3.1-java could be marked Multi-Arch: foreign
libservlet3.1-java-doc could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2018-05-27 08:18

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-12 Last update: 2018-04-13 07:57

news

[rss feed]

[2018-04-18] tomcat8 8.5.30-1 MIGRATED to testing (Debian testing watch)
[2018-04-12] Accepted tomcat8 8.5.30-1 (source) into unstable (Emmanuel Bourg)
[2018-04-12] Accepted tomcat8 8.5.29-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-03-18] tomcat8 8.5.29-1 MIGRATED to testing (Debian testing watch)
[2018-03-12] Accepted tomcat8 8.5.29-1 (source) into unstable (Emmanuel Bourg)
[2018-02-23] Accepted tomcat8 8.5.28-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-02-22] tomcat8 8.5.28-1 MIGRATED to testing (Debian testing watch)
[2018-02-16] Accepted tomcat8 8.5.28-1 (source) into unstable (Emmanuel Bourg)
[2018-01-05] Accepted tomcat8 8.5.24-2~bpo9+1 (source all) into stretch-backports, stretch-backports (Emmanuel Bourg)
[2017-12-19] tomcat8 8.5.24-2 MIGRATED to testing (Debian testing watch)
[2017-12-14] Accepted tomcat8 8.5.24-2 (source) into unstable (Emmanuel Bourg)
[2017-12-06] tomcat8 8.5.24-1 MIGRATED to testing (Debian testing watch)
[2017-12-01] Accepted tomcat8 8.5.24-1 (source) into unstable (Emmanuel Bourg)
[2017-10-18] tomcat8 8.5.23-1 MIGRATED to testing (Debian testing watch)
[2017-10-12] Accepted tomcat8 8.5.23-1 (source) into unstable (Emmanuel Bourg)
[2017-09-25] tomcat8 8.5.21-1 MIGRATED to testing (Debian testing watch)
[2017-09-23] Accepted tomcat8 8.0.14-1+deb8u11 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Sebastien Delafond)
[2017-09-23] Accepted tomcat8 8.5.14-1+deb9u2 (source all) into proposed-updates->stable-new, proposed-updates (Markus Koschany)
[2017-09-20] Accepted tomcat8 8.5.21-1 (source) into unstable (Emmanuel Bourg)
[2017-07-04] tomcat8 8.5.16-1 MIGRATED to testing (Debian testing watch)
[2017-06-28] Accepted tomcat8 8.5.16-1 (source) into unstable (Emmanuel Bourg)
[2017-06-26] tomcat8 8.5.15-1 MIGRATED to testing (Debian testing watch)
[2017-06-24] Accepted tomcat8 8.0.14-1+deb8u10 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Markus Koschany)
[2017-06-24] Accepted tomcat8 8.5.14-1+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Emmanuel Bourg)
[2017-06-21] Accepted tomcat8 8.5.15-1 (source) into unstable (Emmanuel Bourg)
[2017-06-20] tomcat8 8.5.14-2 MIGRATED to testing (Debian testing watch)
[2017-06-08] Accepted tomcat8 8.5.14-2 (source) into unstable (Emmanuel Bourg)
[2017-05-27] Accepted tomcat8 8.0.14-1+deb8u9 (source all) into proposed-updates->stable-new, proposed-updates (Markus Koschany)
[2017-05-15] Accepted tomcat8 8.5.14-1~bpo8+1 (source all) into jessie-backports->backports-policy, jessie-backports (Emmanuel Bourg)
[2017-05-13] tomcat8 8.5.14-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 23
RC: 0
I&N: 14
M&W: 9
F&P: 0

links

homepage
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.5.30-1ubuntu2
13 bugs (1 patch)
patches for 8.5.30-1ubuntu2