UbuntuUpdates.org

Package "tomcat8"

Name: tomcat8

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Apache Tomcat 8 - Servlet and JSP engine -- tools to create user instances

Latest version: 8.0.32-1ubuntu1.10
Release: xenial (16.04)
Level: updates
Repository: universe

Links

Save this URL for the latest version of "tomcat8": https://www.ubuntuupdates.org/tomcat8



Other versions of "tomcat8" in Xenial

Repository Area Version
base universe 8.0.32-1ubuntu1
base main 8.0.32-1ubuntu1
security main 8.0.32-1ubuntu1.10
security universe 8.0.32-1ubuntu1.10
updates main 8.0.32-1ubuntu1.10

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.0.32-1ubuntu1.5 2018-01-08 18:06:27 UTC

  tomcat8 (8.0.32-1ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11Nio2Processor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/Nio2Endpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

 -- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 17:23:18 -0400

Source diff to previous version
CVE-2017-5647 A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.
CVE-2017-5648 While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0
CVE-2017-5664 The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occ
CVE-2017-7674 The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header ind

Version: 8.0.32-1ubuntu1.4 2017-05-25 17:06:48 UTC

  tomcat8 (8.0.32-1ubuntu1.4) xenial; urgency=medium

  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (LP: #1666570).

 -- Joshua Powers <email address hidden> Thu, 09 Mar 2017 14:38:04 -0700

Source diff to previous version

Version: 8.0.32-1ubuntu1.3 2017-01-23 21:06:55 UTC

  tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: timing attack in realm implementations
    - debian/patches/CVE-2016-0762.patch: add time delays to
      java/org/apache/catalina/realm/DataSourceRealm.java,
      java/org/apache/catalina/realm/JDBCRealm.java,
      java/org/apache/catalina/realm/MemoryRealm.java,
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2016-0762
  * SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java,
      java/org/apache/jasper/servlet/JasperInitializer.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoaderBase.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat8.init: further hardening.

 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2017 08:18:27 -0500

Source diff to previous version
CVE-2016-0762 Apache Tomcat Realm Timing Attack
CVE-2016-5018 Apache Tomcat Security Manager Bypass
CVE-2016-5388 Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the pr
CVE-2016-6794 Apache Tomcat System Property Disclosure
CVE-2016-6796 Apache Tomcat Security Manager Bypass
CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources
CVE-2016-6816 information disclosure
CVE-2016-8735 remote code execution
CVE-2016-9774 tomcat8: privilege escalation during package upgrade
CVE-2016-9775 tomcat8: privilege escalation during package removal

Version: 8.0.32-1ubuntu1.2 2016-09-19 20:06:31 UTC

  tomcat8 (8.0.32-1ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat8.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

 -- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:11:41 -0400

Source diff to previous version

Version: 8.0.32-1ubuntu1.1 2016-07-06 20:06:43 UTC

  tomcat8 (8.0.32-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092

 -- Marc Deslauriers <email address hidden> Wed, 06 Jul 2016 07:49:29 -0400

CVE-2016-3092 The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.



About   -   Send Feedback to @ubuntu_updates