UbuntuUpdates.org

Package "tomcat8"

Name: tomcat8

Description:

Apache Tomcat 8 - Servlet and JSP engine

Latest version: 8.0.32-1ubuntu1.10
Release: xenial (16.04)
Level: updates
Repository: main
Homepage: http://tomcat.apache.org

Links

Save this URL for the latest version of "tomcat8": https://www.ubuntuupdates.org/tomcat8


Download "tomcat8"


Other versions of "tomcat8" in Xenial

Repository Area Version
base universe 8.0.32-1ubuntu1
base main 8.0.32-1ubuntu1
security main 8.0.32-1ubuntu1.10
security universe 8.0.32-1ubuntu1.10
updates universe 8.0.32-1ubuntu1.10

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.0.32-1ubuntu1.10 2019-09-10 19:06:18 UTC
No changelog available yet.
Source diff to previous version

Version: 8.0.32-1ubuntu1.9 2019-01-28 11:06:28 UTC

  tomcat8 (8.0.32-1ubuntu1.9) xenial; urgency=medium

  * d/p/fix-class-resource-name-filtering.patch: Fix class and resource name
    filtering in WebappClassLoader (LP: #1606331).

 -- Karl Stenerud <email address hidden> Mon, 10 Dec 2018 15:08:07 +0100

Source diff to previous version
1606331 StringIndexOutOfBoundsException - Tomcat8.0.32

Version: 8.0.32-1ubuntu1.8 2018-10-10 16:06:26 UTC

  tomcat8 (8.0.32-1ubuntu1.8) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

 -- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:28:36 -0400

Source diff to previous version
CVE-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g.

Version: 8.0.32-1ubuntu1.7 2018-07-25 20:06:42 UTC

  tomcat8 (8.0.32-1ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
      java/org/apache/tomcat/util/buf/Utf8Decoder.java.
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
      java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
    - CVE-2018-8034

 -- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:17:36 -0400

Source diff to previous version
CVE-2018-1336 A bug in the UTF-8 decoder can lead to DoS
CVE-2018-8034 host name verification missing in WebSocket client

Version: 8.0.32-1ubuntu1.6 2018-05-30 22:06:36 UTC

  tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden> Mon, 28 May 2018 13:21:29 -0400

1721749 Security Fix - CVE-2017-12617
CVE-2017-12617 When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via sett
CVE-2018-1304 The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 t
CVE-2018-1305 Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84
CVE-2018-8014 The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are ins



About   -   Send Feedback to @ubuntu_updates