tomcat8 (8.0.14-1+deb8u11) jessie-security; urgency=high * Fix CVE-2017-7674: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. -- Sebastien Delafond Fri, 15 Sep 2017 13:18:33 +0200 tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high * Team upload. * Fix CVE-2017-5664. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. (Closes: #864447) -- Markus Koschany Tue, 20 Jun 2017 20:26:44 +0200 tomcat8 (8.0.14-1+deb8u9) jessie-security; urgency=high * Team upload. * Fix the following security vulnerabilities: - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. -- Markus Koschany Sun, 30 Apr 2017 21:38:43 +0200 tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high * Team upload. * Add BZ57544-infinite-loop-part2.patch. Fix regression (400 HTTP errors) due to an incomplete fix for CVE-2017-6056. See #854551 for further information. -- Markus Koschany Sat, 18 Feb 2017 18:44:25 +0100 tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high * Team upload. * Add BZ57544-infinite-loop.patch: It was found that https GET requests could trigger an infinite loop and thus cause a denial-of-service. (Closes: #851304) -- Markus Koschany Mon, 13 Feb 2017 10:34:43 +0100 tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high * Fixed CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. -- Emmanuel Bourg Thu, 05 Jan 2017 17:10:29 +0100 tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8 package is upgraded. Thanks to Paul Szabo for the report (Closes: #845393) * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat8 package is purged. Thanks to Paul Szabo for the report (Closes: #845385) * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used. * Backported the fix for upstream bug 57377: Remove the restriction that prevented the use of SSL when specifying a bind address for the JMX/RMI server. Enable SSL to be configured for the registry as well as the server. * CVE-2016-5018 follow-up: Applied a missing modification fixing a ClassNotFoundException when the security manager is enabled (see #846298) * CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (see #845425) * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator with recent JREs * Backported a fix disabling the broken SSLv3 tests * Refreshed the expired SSL certificates used by the tests * Set the locale when running the tests to prevent locale sensitive tests from failing * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader * Fixed a test failure in the new TestNamingContext test added with the fix for CVE-2016-6797 * Test failures are no longer ignored and now stop the build -- Emmanuel Bourg Sat, 17 Dec 2016 09:19:36 +0100 tomcat8 (8.0.14-1+deb8u4) jessie-security; urgency=medium * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685) -- Emmanuel Bourg Thu, 17 Nov 2016 09:00:15 +0100 tomcat8 (8.0.14-1+deb8u3) jessie-security; urgency=high * Team upload. * Fix CVE-2016-1240: tomcat8.init: Protect /var/lib/tomcat8/catalina.out against a symlink attack and possible root privilege escalation. * Do not unconditionally overwrite files in /etc/tomcat8 anymore. (Closes: #825786) * Change file permissions to 640 for Debian files in /etc/tomcat8. -- Markus Koschany Mon, 15 Aug 2016 17:38:02 +0200 tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high * Team upload. [ Emmanuel Bourg ] * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads [ Markus Koschany ] * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. -- Emmanuel Bourg Thu, 23 Jun 2016 00:27:20 +0200 tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. -- Emmanuel Bourg Fri, 18 Dec 2015 10:20:56 +0100 tomcat8 (8.0.14-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Build depend on libcglib3-java instead of libcglib-java * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg Mon, 29 Sep 2014 13:23:43 +0200 tomcat8 (8.0.12-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Fixed the tomcat8-examples configuration (Closes: #753372) * No longer create the common/server/shared directories under /var/lib/tomcat8, and use a unique lib directory as documented upstream since Tomcat 6. The old directories are still supported if inherited from a previous installation (Closes: #754386) * Depend on libecj-java >= 3.10.0 to support the new Java 8 syntax in JSPs * Install the missing tomcat-dbcp.jar in libtomcat8-java and use it as the default JDBC pool implementation instead of Commons DBCP. * Removed the obsolete patch 0012-java7-compat.patch * Tightened the build dependency on junit4 (>= 4.11) * Build the Javadoc with the JDK specified by the JAVA_HOME variable instead of the default JDK (this fixes a build failure when backporting to Wheezy) * Removed the note about the authbind IPv6 incompatibility in /etc/defaults/tomcat8 -- Emmanuel Bourg Wed, 17 Sep 2014 16:23:52 +0200 tomcat8 (8.0.9-1) unstable; urgency=medium [ Emmanuel Bourg ] * New upstream release - Refreshed the patches * Search for OpenJDK 8 and Oracle JDKs when starting the server * Removed the dependency on the non existent java-7-runtime package * Fixed a link still pointing to the Tomcat 7 documentation in README.Debian * Updated the version required for libtcnative-1 (>= 1.1.30) [ tony mancill ] * Update README.Debian with information about migration guides. -- Emmanuel Bourg Tue, 24 Jun 2014 21:28:37 +0200 tomcat8 (8.0.8-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Thu, 22 May 2014 13:01:55 +0200 tomcat8 (8.0.5-1) unstable; urgency=medium * New upstream release - Refreshed the patches - Disabled Java 8 support in JSPs (requires an Eclipse compiler update) * Fixed the name of the doc-base file for libservlet3.1-java (Closes: #746338) * Update email addresses of maintainers. -- Emmanuel Bourg Tue, 29 Apr 2014 10:22:45 +0200 tomcat8 (8.0.3-1) unstable; urgency=medium [ Emmanuel Bourg ] * Team upload. * New upstream release (Closes: #722675) - Updated the version of the Servlet, JSP and EL APIs - Switched to Java 7 - Updated the watch file to match the Tomcat 8 releases - Refreshed the patches - Updated debian/copyright, documented the xsd files licensed under the CDDL - Installed the new jars (spdy, jni, websocket, websocket-api, storeconfig) - Updated the artifactId of the specification jars to include the new javax prefix - Added the javax.websocket-api artifact to libservlet3.1-java - New build dependency on cglib, easymock and objenesis * Added a patch to include the name of the distribution on the error pages * Use XZ compression for the upstream tarball * debian/control: - Replaced Sun Microsystems with Oracle in the packages descriptions - Mentioned 'Apache Tomcat' in the packages descriptions - Standards-Version updated to 3.9.5 (no changes) * Deploy the Tomcat artifacts in the Maven repository with the 8.x version instead of 'debian' to avoid conflicts with other versions of Tomcat. * Hard coded the versions in the poms in debian/javaxpoms to fix the version of the dependencies for jsp-api * Renamed the jars in /usr/share/java to tomcat8-xxx to avoid conflicts with other versions of Tomcat * Added the missing descriptions to the patches * Added a patch to ignore the failing tests * Moved the tomcat-{servlet|jsp|el}-api artifacts from libservlet3.1-java to libtomcat8-java and changed their versions to the Tomcat version instead of the specification version. * Removed libservlet3.1-java.links defining the tomcat-* links in /usr/share/java with the specifications versions * The symlinks to /usr/share/tomcat8/lib are no longer split between the two packages libtomcat8-java and tomcat8-common. tomcat8-common assembles all the jars required by Tomcat (tomcat jars + dbcp + pool). libtomcat8-java deploys only the jars in /usr/share/java and the Maven artifacts in /usr/share/maven-repo. * Added the EL and WebSocket APIs to libservlet3.1-java-doc * Added a Lintian override for the incompatible-java-bytecode-format warning since Tomcat requires Java 7 * Added a Lintian override to clear the codeless-jar warnings on the tomcat-i18n jars instead of a patch turning them into zip files. * Removed 0011-fix-classpath-lintian-warnings.patch and specified the classpath of jasper.jar in libtomcat8-java.manifest instead. [ tony mancill ] * Include tomcat-util-scan.jar in the libtomcat8-java package. * Remove debian/NEWS (inapplicable to this release). * Prune debian/changelog to only contain tomcat8 entries. -- Emmanuel Bourg Sat, 15 Mar 2014 23:23:14 +0100