-
tomcat8 (8.0.32-1ubuntu1.13) xenial-security; urgency=medium
* SECURITY UPDATE: infinite loop via invalid payload length
- debian/patches/CVE-2020-13935.patch: add additional payload length
validation in java/org/apache/tomcat/websocket/WsFrameBase.java,
java/org/apache/tomcat/websocket/LocalStrings.properties.
- CVE-2020-13935
* SECURITY UPDATE: HTTP Request Smuggling via invalid request smuggling
- debian/patches/CVE-2020-1935.patch: use stricter header value
parsing in java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/tomcat/util/http/MimeHeaders.java,
java/org/apache/tomcat/util/http/parser/HttpParser.java,
test/org/apache/coyote/http11/TestInternalInputBuffer.java.
- CVE-2020-1935
* SECURITY UPDATE: remote code execution via deserialization of a file
under the attacker's control
- debian/patches/CVE-2020-9484.patch: improve validation of storage
location when using FileStore in
java/org/apache/catalina/session/FileStore.java,
java/org/apache/catalina/session/LocalStrings.properties.
- CVE-2020-9484
-- Marc Deslauriers <email address hidden> Mon, 03 Aug 2020 06:53:09 -0400
-
tomcat8 (8.0.32-1ubuntu1.11) xenial-security; urgency=medium
* SECURITY UPDATE: JMX interface authentication bypass
- debian/patches/CVE-2019-12418.patch: refactor JMX remote RMI registry
creation in JmxRemoteLifecycleListener.java.
- CVE-2019-12418
* SECURITY UPDATE: session fixation attack in FORM authentication
- debian/patches/CVE-2019-17563.patch: refactor so Principal is never
cached in session with cache==false in
java/org/apache/catalina/authenticator/AuthenticatorBase.java,
java/org/apache/catalina/authenticator/Constants.java,
java/org/apache/catalina/authenticator/FormAuthenticator.java.
- CVE-2019-17563
-- Marc Deslauriers <email address hidden> Fri, 24 Jan 2020 11:24:30 -0500
-
tomcat8 (8.0.32-1ubuntu1.10) xenial-security; urgency=medium
* SECURITY UPDATE: XSS attack on SSI printenv command
- debian/patches/CVE-2019-0221.patch: escape debug output to aid
readability
- CVE-2019-0221
-- Emilia Torino <email address hidden> Mon, 09 Sep 2019 09:49:23 -0300
-
tomcat8 (8.0.32-1ubuntu1.9) xenial; urgency=medium
* d/p/fix-class-resource-name-filtering.patch: Fix class and resource name
filtering in WebappClassLoader (LP: #1606331).
-- Karl Stenerud <email address hidden> Mon, 10 Dec 2018 15:08:07 +0100
-
tomcat8 (8.0.32-1ubuntu1.8) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary redirect issue
- debian/patches/CVE-2018-11784.patch: avoid protocol relative
redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
- CVE-2018-11784
-- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:28:36 -0400
-
tomcat8 (8.0.32-1ubuntu1.7) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via issue in UTF-8 decoder
- debian/patches/CVE-2018-1336.patch: fix logic in
java/org/apache/tomcat/util/buf/Utf8Decoder.java.
- CVE-2018-1336
* SECURITY UPDATE: missing hostname verification in WebSocket client
- debian/patches/CVE-2018-8034.patch: enable hostname verification by
default in webapps/docs/web-socket-howto.xml,
java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
- CVE-2018-8034
-- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:17:36 -0400
-
tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
- debian/patches/CVE-2017-12617.patch: add checks to
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
java/org/apache/catalina/webresources/DirResourceSet.java,
java/org/apache/tomcat/util/compat/JrePlatform.java,
test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
- CVE-2017-12617
* SECURITY UPDATE: security constraints mapped to context root are ignored
- debian/patches/CVE-2018-1304.patch: add check to
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2018-1304
* SECURITY UPDATE: security constraint annotations applied too late
- debian/patches/CVE-2018-1305.patch: change ordering in
java/org/apache/catalina/Wrapper.java,
java/org/apache/catalina/authenticator/AuthenticatorBase.java,
java/org/apache/catalina/core/ApplicationContext.java,
java/org/apache/catalina/core/ApplicationServletRegistration.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/StandardWrapper.java,
java/org/apache/catalina/startup/ContextConfig.java,
java/org/apache/catalina/startup/Tomcat.java,
java/org/apache/catalina/startup/WebAnnotationSet.java.
- CVE-2018-1305
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/patches/CVE-2018-8014.patch: change defaults in
java/org/apache/catalina/filters/CorsFilter.java,
java/org/apache/catalina/filters/LocalStrings.properties,
test/org/apache/catalina/filters/TestCorsFilter.java,
test/org/apache/catalina/filters/TesterFilterConfigs.java.
- CVE-2018-8014
-- Marc Deslauriers <email address hidden> Mon, 28 May 2018 13:21:29 -0400
-
tomcat8 (8.0.32-1ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: loss of pipeline requests
- debian/patches/CVE-2017-5647.patch: improve sendfile handling when
requests are pipelined in
java/org/apache/coyote/AbstractProtocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11Nio2Processor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/Nio2Endpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java,
java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
- CVE-2017-5647
* SECURITY UPDATE: incorrect facade object use
- debian/patches/CVE-2017-5648.patch: ensure request and response
facades are used when firing application listeners in
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardHostValve.java.
- CVE-2017-5648
* SECURITY UPDATE: unexpected and undesirable results for static error
pages
- debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java.
- CVE-2017-5664
* SECURITY UPDATE: client and server side cache poisoning in CORS filter
- debian/patches/CVE-2017-7674.patch: set Vary header in response in
java/org/apache/catalina/filters/CorsFilter.java.
- CVE-2017-7674
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 17:23:18 -0400
-
tomcat8 (8.0.32-1ubuntu1.4) xenial; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (LP: #1666570).
-- Joshua Powers <email address hidden> Thu, 09 Mar 2017 14:38:04 -0700
-
tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium
* SECURITY UPDATE: timing attack in realm implementations
- debian/patches/CVE-2016-0762.patch: add time delays to
java/org/apache/catalina/realm/DataSourceRealm.java,
java/org/apache/catalina/realm/JDBCRealm.java,
java/org/apache/catalina/realm/MemoryRealm.java,
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2016-0762
* SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java,
java/org/apache/jasper/servlet/JasperInitializer.java.
- CVE-2016-5018
* SECURITY UPDATE: mitigaton for httpoxy issue
- debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
java/org/apache/catalina/servlets/CGIServlet.java.
- CVE-2016-5388
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
to the system property replacement feature of the digester in
java/org/apache/catalina/loader/WebappClassLoaderBase.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be in
java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java,
test/org/apache/naming/TestNamingContext.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat8.init: further hardening.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2017 08:18:27 -0500
-
tomcat8 (8.0.32-1ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat8.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
-- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:11:41 -0400
-
tomcat8 (8.0.32-1ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service in FileUpload
- debian/patches/CVE-2016-3092.patch: properly handle size in
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2016-3092
-- Marc Deslauriers <email address hidden> Wed, 06 Jul 2016 07:49:29 -0400
-
tomcat8 (8.0.32-1ubuntu1) xenial; urgency=medium
* Prepare to promote tomcat8 to main (LP: #1539903).
- debian/control, 0021-ubuntu-mainize-build-xml.patch: Remove
build-dependencies on libobjenesis-java and libeasymock-java, and skip
tests that rely on the functionality they provide.
-- Nishanth Aravamudan <email address hidden> Fri, 05 Feb 2016 09:20:39 +0100
-
tomcat8 (8.0.32-1) unstable; urgency=medium
* Team upload.
* New upstream release
* Fixed a warning in catalina.out caused by an incorrect path
for the root context (Closes: #808378)
* Standards-Version updated to 3.9.7 (no changes)
-- Emmanuel Bourg <email address hidden> Mon, 21 Dec 2015 11:20:10 +0100
-
tomcat8 (8.0.30-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Use LC_ALL instead of LANG to format the date and make the documentation
reproducible on the builders
-- Emmanuel Bourg <email address hidden> Fri, 18 Dec 2015 11:44:06 +0100
-
tomcat8 (8.0.28-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Fixed a localized date in the documentation to improve the reproducibility
-- Emmanuel Bourg <email address hidden> Mon, 19 Oct 2015 11:12:07 +0200
-
tomcat8 (8.0.26-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
* Fixed an upgrade error when /etc/tomcat8/tomcat-users.xml is removed
(LP: #1010791)
* Fixed a minor HTML error in the default index.html file (LP: #1236132)
-- Emmanuel Bourg <email address hidden> Mon, 24 Aug 2015 00:30:40 +0200
