Package "tomcat8"

Name: tomcat8


Apache Tomcat 8 - Servlet and JSP engine

Latest version: 8.0.32-1ubuntu1.13
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://tomcat.apache.org


Download "tomcat8"

Other versions of "tomcat8" in Xenial

Repository Area Version
base universe 8.0.32-1ubuntu1
base main 8.0.32-1ubuntu1
security universe 8.0.32-1ubuntu1.13
updates main 8.0.32-1ubuntu1.13
updates universe 8.0.32-1ubuntu1.13

Packages in group

Deleted packages are displayed in grey.


Version: 8.0.32-1ubuntu1.13 2020-08-04 19:07:00 UTC

  tomcat8 (8.0.32-1ubuntu1.13) xenial-security; urgency=medium

  * SECURITY UPDATE: infinite loop via invalid payload length
    - debian/patches/CVE-2020-13935.patch: add additional payload length
      validation in java/org/apache/tomcat/websocket/WsFrameBase.java,
    - CVE-2020-13935
  * SECURITY UPDATE: HTTP Request Smuggling via invalid request smuggling
    - debian/patches/CVE-2020-1935.patch: use stricter header value
      parsing in java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
    - CVE-2020-1935
  * SECURITY UPDATE: remote code execution via deserialization of a file
    under the attacker's control
    - debian/patches/CVE-2020-9484.patch: improve validation of storage
      location when using FileStore in
    - CVE-2020-9484

 -- Marc Deslauriers <email address hidden> Mon, 03 Aug 2020 06:53:09 -0400

Source diff to previous version
CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and
CVE-2020-1935 In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that al
CVE-2020-9484 When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to contr

Version: 8.0.32-1ubuntu1.11 2020-01-27 16:06:23 UTC

  tomcat8 (8.0.32-1ubuntu1.11) xenial-security; urgency=medium

  * SECURITY UPDATE: JMX interface authentication bypass
    - debian/patches/CVE-2019-12418.patch: refactor JMX remote RMI registry
      creation in JmxRemoteLifecycleListener.java.
    - CVE-2019-12418
  * SECURITY UPDATE: session fixation attack in FORM authentication
    - debian/patches/CVE-2019-17563.patch: refactor so Principal is never
      cached in session with cache==false in
    - CVE-2019-17563

 -- Marc Deslauriers <email address hidden> Fri, 24 Jan 2020 11:24:30 -0500

Source diff to previous version
CVE-2019-12418 When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker witho
CVE-2019-17563 When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker

Version: 8.0.32-1ubuntu1.10 2019-09-10 19:06:17 UTC
No changelog available yet.
Source diff to previous version

Version: 8.0.32-1ubuntu1.8 2018-10-10 16:06:25 UTC

  tomcat8 (8.0.32-1ubuntu1.8) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

 -- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:28:36 -0400

Source diff to previous version
CVE-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g.

Version: 8.0.32-1ubuntu1.7 2018-07-25 19:06:40 UTC

  tomcat8 (8.0.32-1ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
    - CVE-2018-8034

 -- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:17:36 -0400

CVE-2018-1336 A bug in the UTF-8 decoder can lead to DoS
CVE-2018-8034 host name verification missing in WebSocket client

About   -   Send Feedback to @ubuntu_updates