Format: 1.8 Date: Wed, 27 Sep 2017 17:23:18 -0400 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source Version: 8.0.32-1ubuntu1.5 Distribution: xenial-security Urgency: medium Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.0.32-1ubuntu1.5) xenial-security; urgency=medium . * SECURITY UPDATE: loss of pipeline requests - debian/patches/CVE-2017-5647.patch: improve sendfile handling when requests are pipelined in java/org/apache/coyote/AbstractProtocol.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11Nio2Processor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/Nio2Endpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java, java/org/apache/tomcat/util/net/SendfileKeepAliveState.java. - CVE-2017-5647 * SECURITY UPDATE: incorrect facade object use - debian/patches/CVE-2017-5648.patch: ensure request and response facades are used when firing application listeners in java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardHostValve.java. - CVE-2017-5648 * SECURITY UPDATE: unexpected and undesirable results for static error pages - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java. - CVE-2017-5664 * SECURITY UPDATE: client and server side cache poisoning in CORS filter - debian/patches/CVE-2017-7674.patch: set Vary header in response in java/org/apache/catalina/filters/CorsFilter.java. - CVE-2017-7674 Checksums-Sha1: 24dc04c7055369055ee7c1e6ff629a20483b1750 2881 tomcat8_8.0.32-1ubuntu1.5.dsc 387af8c2e4077bc293121556ada51f02a44f9e65 55208 tomcat8_8.0.32-1ubuntu1.5.debian.tar.xz Checksums-Sha256: 6b7df47c3f24d4fc3203a4a7187bbda99a5aa3ff42b64a5784ea508cd1641e60 2881 tomcat8_8.0.32-1ubuntu1.5.dsc acdd3ce88cba747ab999eddf4b85d0efb94e6c45ba3fcd972ea741f642b509db 55208 tomcat8_8.0.32-1ubuntu1.5.debian.tar.xz Files: c5708fb3b9338ab6197073810c376954 2881 java optional tomcat8_8.0.32-1ubuntu1.5.dsc faeda8b502d6b67241e8a493f212f1c7 55208 java optional tomcat8_8.0.32-1ubuntu1.5.debian.tar.xz Original-Maintainer: Debian Java Maintainers