UbuntuUpdates.org

Package "tomcat7"

Name: tomcat7

Description:

Servlet and JSP engine

Latest version: 7.0.52-1ubuntu0.16
Release: trusty (14.04)
Level: security
Repository: main
Homepage: http://tomcat.apache.org

Links


Download "tomcat7"


Other versions of "tomcat7" in Trusty

Repository Area Version
base universe 7.0.52-1
base main 7.0.52-1
security universe 7.0.52-1ubuntu0.16
updates universe 7.0.52-1ubuntu0.16
updates main 7.0.52-1ubuntu0.16

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.0.52-1ubuntu0.16 2018-10-10 16:06:20 UTC

  tomcat7 (7.0.52-1ubuntu0.16) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

 -- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:25:36 -0400

Source diff to previous version
CVE-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g.

Version: 7.0.52-1ubuntu0.15 2018-07-25 19:06:38 UTC

  tomcat7 (7.0.52-1ubuntu0.15) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
      java/org/apache/tomcat/util/buf/Utf8Decoder.java.
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
      java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
    - CVE-2018-8034

 -- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:27:25 -0400

Source diff to previous version
CVE-2018-1336 A bug in the UTF-8 decoder can lead to DoS
CVE-2018-8034 host name verification missing in WebSocket client

Version: 7.0.52-1ubuntu0.14 2018-05-30 21:07:22 UTC

  tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-1261x.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java
      java/org/apache/naming/resources/FileDirContext.java,
      java/org/apache/naming/resources/JrePlatform.java,
      java/org/apache/naming/resources/LocalStrings.properties,
      java/org/apache/naming/resources/VirtualDirContext.java,
      test/org/apache/naming/resources/TestFileDirContext.java.
    - CVE-2017-12616
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden> Tue, 29 May 2018 10:22:42 -0400

Source diff to previous version
1721749 Security Fix - CVE-2017-12617
CVE-2017-1261 IBM Security Guardium 10.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 124736.
CVE-2017-12616 When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs
CVE-2017-12617 When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via sett
CVE-2018-1304 The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 t
CVE-2018-1305 Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84
CVE-2018-8014 The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are ins

Version: 7.0.52-1ubuntu0.13 2018-01-08 17:06:57 UTC

  tomcat7 (7.0.52-1ubuntu0.13) trusty-security; urgency=medium

  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java,
      java/org/apache/tomcat/util/net/SendfileState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648-pre.patch: fix keep-alive with
      asynchronous servlet in
      java/org/apache/catalina/core/AsyncContextImpl.java,
      java/org/apache/coyote/AsyncContextCallback.java,
      java/org/apache/coyote/AsyncStateMachine.java,
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

 -- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 16:28:58 -0400

Source diff to previous version
CVE-2017-5647 A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.
CVE-2017-5648 While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0
CVE-2017-5664 The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occ
CVE-2017-7674 The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header ind

Version: 7.0.52-1ubuntu0.10 2017-02-20 19:06:52 UTC

  tomcat7 (7.0.52-1ubuntu0.10) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/AbstractInputBuffer.java.
    - CVE-2017-6056

 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2017 08:51:12 -0500

1663318 Tomcat 7 keeps using 100% CPU after sending an invalid HTTP request
CVE-2017-6056 It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of se



About   -   Send Feedback to @ubuntu_updates