Format: 1.8 Date: Wed, 27 Sep 2017 17:20:40 -0400 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source Version: 8.0.38-2ubuntu2.2 Distribution: zesty-security Urgency: medium Maintainer: Ubuntu Developers Changed-By: Marc Deslauriers Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Changes: tomcat8 (8.0.38-2ubuntu2.2) zesty-security; urgency=medium . * SECURITY UPDATE: loss of pipeline requests - debian/patches/CVE-2017-5647.patch: improve sendfile handling when requests are pipelined in java/org/apache/coyote/AbstractProtocol.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11Nio2Processor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/Nio2Endpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java, java/org/apache/tomcat/util/net/SendfileKeepAliveState.java. - CVE-2017-5647 * SECURITY UPDATE: incorrect facade object use - debian/patches/CVE-2017-5648.patch: ensure request and response facades are used when firing application listeners in java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardHostValve.java. - CVE-2017-5648 * SECURITY UPDATE: unexpected and undesirable results for static error pages - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java. - CVE-2017-5664 * SECURITY UPDATE: client and server side cache poisoning in CORS filter - debian/patches/CVE-2017-7674.patch: set Vary header in response in java/org/apache/catalina/filters/CorsFilter.java. - CVE-2017-7674 Checksums-Sha1: 4580e4ec12882ea5f2c7df3fdb3ba74750845313 3023 tomcat8_8.0.38-2ubuntu2.2.dsc 909f66fbac3f30ba0d9b9a2bc4a4b81f973ba194 46972 tomcat8_8.0.38-2ubuntu2.2.debian.tar.xz Checksums-Sha256: 17ac00522cf47e7e2a22a9020120e48344f308937f6077dc73472f2389da9e68 3023 tomcat8_8.0.38-2ubuntu2.2.dsc 866b37af1b0e8676e1f6f39315c91bcb791445910c5e859773b7e8b942d6a0ac 46972 tomcat8_8.0.38-2ubuntu2.2.debian.tar.xz Files: 905f40b00c7f216494a5a31e3322285b 3023 java optional tomcat8_8.0.38-2ubuntu2.2.dsc 5bb53ae1502c31473da504f726e46a75 46972 java optional tomcat8_8.0.38-2ubuntu2.2.debian.tar.xz Original-Maintainer: Debian Java Maintainers