Format: 1.8 Date: Mon, 28 May 2018 13:21:29 -0400 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: all amd64_translations Version: 8.0.32-1ubuntu1.6 Distribution: xenial Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Launchpad-Bugs-Fixed: 1721749 Changes: tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium . * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-12617.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/webresources/AbstractFileResourceSet.java, java/org/apache/catalina/webresources/DirResourceSet.java, java/org/apache/tomcat/util/compat/JrePlatform.java, test/org/apache/catalina/webresources/AbstractTestResourceSet.java, test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java. - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 Checksums-Sha1: 4774800bbc43762271d821cceedbbd0c695af58d 240386 libservlet3.1-java-doc_8.0.32-1ubuntu1.6_all.deb e4004c2b0219ec727414b3ae728741dd54ec4823 390638 libservlet3.1-java_8.0.32-1ubuntu1.6_all.deb 6112eebc47322ff2ce9c7d757562b7292e591607 4657704 libtomcat8-java_8.0.32-1ubuntu1.6_all.deb 0bf0c1b13bc9d33a52c6f7f76b6b1af6f69f0e21 30958 tomcat8-admin_8.0.32-1ubuntu1.6_all.deb 09b6bac0fb992eefc8647158c24eee62f460cac0 53196 tomcat8-common_8.0.32-1ubuntu1.6_all.deb e88202de82885345a0f624ccff4f272929d4a2ff 675576 tomcat8-docs_8.0.32-1ubuntu1.6_all.deb 8763ea929f83cd4b3ed0cc3e8aeb42507c7e9978 188198 tomcat8-examples_8.0.32-1ubuntu1.6_all.deb 827020ec1218c2199fd414e54e15c3b1f1cc3e28 30872 tomcat8-user_8.0.32-1ubuntu1.6_all.deb 489e1ed6133cf91f99dc7ed40da776618027e7a8 42204 tomcat8_8.0.32-1ubuntu1.6_all.deb 5e19ffe9d4212e64e307b012f34b667450f17fdd 8140 tomcat8_8.0.32-1ubuntu1.6_amd64_translations.tar.gz Checksums-Sha256: 5cfc41e6e56ff25d17cfc1ed613b9f0ffdb76fc9bc107f4ce558820d5a8efff7 240386 libservlet3.1-java-doc_8.0.32-1ubuntu1.6_all.deb 42649b931851127dfdb11b62b096fc1bb4a93f0ae7e17b51344d84c051fddd67 390638 libservlet3.1-java_8.0.32-1ubuntu1.6_all.deb 5b76598f11c299f288791bfcd27c580df4c1dbedcac08efb0c32f7c16dcc891a 4657704 libtomcat8-java_8.0.32-1ubuntu1.6_all.deb 2ef7e1dcbd4841c5dd08de32c009b8d8e6853ea0621cb8259c211d77601a9132 30958 tomcat8-admin_8.0.32-1ubuntu1.6_all.deb 9d3f281c41ddf6586b63cbfb82e5968526c994334e3fe42c08fa16bbda3f3c2c 53196 tomcat8-common_8.0.32-1ubuntu1.6_all.deb 2e364c1d36a66895d6b03b6822ce6dbf0fa77974540e8bc46694798e1fb8a3c1 675576 tomcat8-docs_8.0.32-1ubuntu1.6_all.deb 65e0a1ca14e294926565da375c7d67e5d1647c76af9a3bce73f6f1239c4d4e47 188198 tomcat8-examples_8.0.32-1ubuntu1.6_all.deb 3018e58924c55cdcda12235cd683db75300d6fe6576075402672cf17aa21f680 30872 tomcat8-user_8.0.32-1ubuntu1.6_all.deb af619aca615a125fbfc5b3362891f4272a8505cfb9279a607dfa1cd988db6d1a 42204 tomcat8_8.0.32-1ubuntu1.6_all.deb 0742f1e405e4f64cebe74b24027ea4de7312389fbc405b2b52f8ab1e34f5ec31 8140 tomcat8_8.0.32-1ubuntu1.6_amd64_translations.tar.gz Files: b7057209c6fe1c8fc174e660193c47fc 240386 doc optional libservlet3.1-java-doc_8.0.32-1ubuntu1.6_all.deb a469b79da90732b7668937634e371005 390638 java optional libservlet3.1-java_8.0.32-1ubuntu1.6_all.deb 67ddeebae7eb6ff318efb28350aaae0c 4657704 java optional libtomcat8-java_8.0.32-1ubuntu1.6_all.deb 4a1de944c73deb98cf77449387f189f1 30958 java optional tomcat8-admin_8.0.32-1ubuntu1.6_all.deb 3ed3b5bd4bff1c333c27f5d6d32ba9ef 53196 java optional tomcat8-common_8.0.32-1ubuntu1.6_all.deb 8125277a55eeff2a7d1dbdabc23a3e8a 675576 doc optional tomcat8-docs_8.0.32-1ubuntu1.6_all.deb 63a23b1bd6f1df9dec8603419d93dd0f 188198 java optional tomcat8-examples_8.0.32-1ubuntu1.6_all.deb 178b2ba5b87057f8b3489746f504e096 30872 java optional tomcat8-user_8.0.32-1ubuntu1.6_all.deb 01de7af8ea17d946ca6cc370e15689de 42204 java optional tomcat8_8.0.32-1ubuntu1.6_all.deb a68e6476e96e6246d9c4e95fa1685326 8140 raw-translations - tomcat8_8.0.32-1ubuntu1.6_amd64_translations.tar.gz Original-Maintainer: Debian Java Maintainers