tomcat8: CVE-2017-5664: Security constrained bypass in error page mechanism

Debian Bug report logs - #864447
tomcat8: CVE-2017-5664: Security constrained bypass in error page mechanism

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tomcat8: CVE-2017-5664: Security constrained bypass in error page mechanism

Date: Thu, 08 Jun 2017 20:49:16 +0200

Source: tomcat8
Version: 8.5.14-1
Severity: important
Tags: security patch upstream
Control: found -1 8.0.14-1

Hi,

the following vulnerability was published for tomcat8.

CVE-2017-5664[0]:
| The error page mechanism of the Java Servlet Specification requires
| that, when an error occurs and an error page is configured for the
| error that occurred, the original request and response are forwarded
| to the error page. This means that the request is presented to the
| error page with the original HTTP method. If the error page is a
| static file, expected behaviour is to serve content of the file as if
| processing a GET request, regardless of the actual HTTP method. The
| Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to
| 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this.
| Depending on the original request this could lead to unexpected and
| undesirable results for static error pages including, if the
| DefaultServlet is configured to permit writes, the replacement or
| removal of the custom error page. Notes for other user provided error
| pages: (1) Unless explicitly coded otherwise, JSPs ignore the the HTTP
| method. JSPs used as error pages must must ensure that they handle any
| error dispatch as a GET request, regardless of the actual method. (2)
| By default, the response generated by a Servlet does depend on the
| HTTP method. Custom Servlets used as error pages must ensure that they
| handle any error dispatch as a GET request, regardless of the actual
| method.

The security-tracker page[0] contains as well commits for the 7.0.x,
8.0.x, 8.5.x branches.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5664
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

Regards,
salvatore

Message #10 received at 864447@bugs.debian.org (full text, mbox, reply):

From: pkg-java-maintainers@lists.alioth.debian.org

To: 864447@bugs.debian.org, 864447-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the tomcat8 package

Date: Thu, 08 Jun 2017 20:39:29 +0000

tag 864447 + pending
thanks

Some bugs in the tomcat8 package are closed in revision
a1e2c41b37a81e5565357f8a39e1e06ee443404f in branch 'master' by
Emmanuel Bourg

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=a1e2c41

Commit message:

    Fixed CVE-2017-5664: Static error pages can be overwritten if the DefaultServlet is configured to permit writes (Closes: #864447)

Message #20 received at 864447-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 864447-close@bugs.debian.org

Subject: Bug#864447: fixed in tomcat8 8.5.14-2

Date: Thu, 08 Jun 2017 21:08:08 +0000

Source: tomcat8
Source-Version: 8.5.14-2

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Jun 2017 12:28:34 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source
Version: 8.5.14-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 864447
Changes:
 tomcat8 (8.5.14-2) unstable; urgency=high
 .
   * Team upload.
   * Fixed CVE-2017-5664: Static error pages can be overwritten if the
     DefaultServlet is configured to permit writes (Closes: #864447)
Checksums-Sha1:
 1968435d98ecce70ed4c2f27cb18177eef02a4ec 2962 tomcat8_8.5.14-2.dsc
 151efe32da20d4b910b296ed8aba30b5c77d447f 42264 tomcat8_8.5.14-2.debian.tar.xz
 5c94e75adff3faf9875308fa96e35a07c07217f7 10062 tomcat8_8.5.14-2_source.buildinfo
Checksums-Sha256:
 e921d697faf8511791fe19787b82cb4ac3a25f8cfc7acc997b1c85cef9df8d0e 2962 tomcat8_8.5.14-2.dsc
 f42ade0a997beadbedfab0e1de3eaf65d4bf841199e34e09a021090d728ce9dd 42264 tomcat8_8.5.14-2.debian.tar.xz
 bd8965c73e7f589a99e75a9b4b4cec15ef206d0b7f647f47f70fe54dd9f2677e 10062 tomcat8_8.5.14-2_source.buildinfo
Files:
 46a95ee030621d2ca5cf8379707cfe33 2962 java optional tomcat8_8.5.14-2.dsc
 33077ac634f43d4610bb029d00570852 42264 java optional tomcat8_8.5.14-2.debian.tar.xz
 e13edbef2efddb3261a72e5104f255aa 10062 java optional tomcat8_8.5.14-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlk5thkSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCs+rMP/A+rjeZvZDHNnhkNEEBch82E+pRZDihd
ZvwD6RBIEFiYKbvDUb6N+odzCo3DNWGPmRWyHpXiqdT+CadZw1raFoPxwsgq63H3
D4gwp4dxit/BAHAr0MO0mMqKhsJjg86dsdjFub4TLKaFNOML89RyP2xb5Zwbm+d5
HZXU9EeiLrjyVM57OfZd3FTTVwJHJTiNbr0dgZg0vR5oSq8iTjLJMzIW1Qet3c6H
aGEp8VT11jBeJ+4366LkzDENYbZwvH+jm8Zxkm90Rr9tqZqoj3OnZeCSHo/GMSn5
390J3rNn0vuJztcowVfBhlXc5+R90gJtCwMnEbrM+ULDM4gTRZBDZ/TO18ml6gSq
Q/OYjssGsajJB0j9R3lJ6HBwkGBZ43B0IkTTYzwDCiPc3tAWydTcVA/6DMFLHcBG
211YgTRqm4WD3yB0rxyYQsdjava9Vus/rvo1PIHbgQpYE6B4krp1BAKLvnAi5Mdn
eEyht54hSosTZ2UpG75uU5rv1AhpcHLnLiDPlNmwxVhf4HuwC6CLasqDstAn20+4
HMHDjlXCMoQ5JaZKDuHBRe+SK8Ia/S+/vMHL5pJ0OP3jWxmWIWKVfNySu+ZatZGA
lar1Sn/voMOB3Z9G/NcMpa2JXgVg/vz8nXDc9ix5zDW2kdauaBUHxyqWvjyQVpop
g8c2/2yJigvc
=rlUN
-----END PGP SIGNATURE-----

Message #23 received at 864447@bugs.debian.org (full text, mbox, reply):

From: pkg-java-maintainers@lists.alioth.debian.org

To: 864447@bugs.debian.org, 864447-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the tomcat7 package

Date: Tue, 20 Jun 2017 22:04:26 +0000

tag 864447 + pending
thanks

Some bugs in the tomcat7 package are closed in revision
1ebcd5b2c822cf677b59a875172344c80d1d1ee4 in branch '  wheezy' by
Markus Koschany

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/commit/?id=1ebcd5b

Commit message:

    Import Debian changes 7.0.28-4+deb7u14
    
    tomcat7 (7.0.28-4+deb7u14) wheezy-security; urgency=high
    
      * Team upload.
      * Fix CVE-2017-5664.
        The error page mechanism of the Java Servlet Specification requires that,
        when an error occurs and an error page is configured for the error that
        occurred, the original request and response are forwarded to the error
        page. This means that the request is presented to the error page with the
        original HTTP method. If the error page is a static file, expected
        behaviour is to serve content of the file as if processing a GET request,
        regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
        did not do this. Depending on the original request this could lead to
        unexpected and undesirable results for static error pages including, if the
        DefaultServlet is configured to permit writes, the replacement or removal
        of the custom error page. (Closes: #864447)

Message #31 received at 864447@bugs.debian.org (full text, mbox, reply):

From: pkg-java-maintainers@lists.alioth.debian.org

To: 864447@bugs.debian.org, 864447-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the tomcat8 package

Date: Wed, 21 Jun 2017 11:37:54 +0000

tag 864447 + pending
thanks

Some bugs in the tomcat8 package are closed in revision
b8a566435d0f49d29acfea3654cda356977372c1 in branch '  stretch' by
Emmanuel Bourg

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=b8a5664

Commit message:

    Fixed CVE-2017-5664: Static error pages can be overwritten if the DefaultServlet is configured to permit writes (Closes: #864447)

Message #39 received at 864447-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 864447-close@bugs.debian.org

Subject: Bug#864447: fixed in tomcat8 8.5.14-1+deb9u1

Date: Sat, 24 Jun 2017 14:51:40 +0000

Source: tomcat8
Source-Version: 8.5.14-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 Jun 2017 13:36:46 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source
Version: 8.5.14-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 864447
Changes:
 tomcat8 (8.5.14-1+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fixed CVE-2017-5664: Static error pages can be overwritten if the
     DefaultServlet is configured to permit writes (Closes: #864447)
Checksums-Sha1:
 def6568d9a61bed5724dc241899baee534a5e795 2990 tomcat8_8.5.14-1+deb9u1.dsc
 07d6fb8aafbfb114fa879976b6edd00fa2445abf 3325436 tomcat8_8.5.14.orig.tar.xz
 a1e39e169b7e5c25512b8d1eb22d0a685f19670c 42252 tomcat8_8.5.14-1+deb9u1.debian.tar.xz
 e53d78d0e80ca089dd6b7c96a3759f7e9ec72237 10183 tomcat8_8.5.14-1+deb9u1_source.buildinfo
Checksums-Sha256:
 b844e82d31c9276d1efd0be5c0082bbbb0f1ebd89e6778cff9f9e95f653ad86a 2990 tomcat8_8.5.14-1+deb9u1.dsc
 55793397099260a4f85e6ec810ac487faa4c4d03c24023dca99137d19e8808db 3325436 tomcat8_8.5.14.orig.tar.xz
 d9ac4fee10307a3c540a7a2bcb83bc1f2fe9b8fd250e6f03d1476ee5c4c7dc63 42252 tomcat8_8.5.14-1+deb9u1.debian.tar.xz
 033f94239cf6d08c0087caa1f84325d2f0bf3e81c3dc5a116eaacd071befe8b0 10183 tomcat8_8.5.14-1+deb9u1_source.buildinfo
Files:
 bbdbf0ec3ec8e2be35f840793bf3a55e 2990 java optional tomcat8_8.5.14-1+deb9u1.dsc
 cf8bd5c141d38fe2843286a07b153449 3325436 java optional tomcat8_8.5.14.orig.tar.xz
 5215b46942b69ce5b40d8b4b428dd5cf 42252 java optional tomcat8_8.5.14-1+deb9u1.debian.tar.xz
 78e06261c0188c87eb72b29a72c1e5c1 10183 java optional tomcat8_8.5.14-1+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAllKln4SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsv08P/Rzg9/CRZQmWjen4WoJtEVmpLnXxC1ZT
h+eHGUDwgMfty7MCstf8niv2Uax6dGEHjDmN41iExLtXHCK6vNfvTgYW4KxCtq/6
y3oGvMax89k8kESwPpRMugdAyciPLZhNITx8IVl5P0UB+h73U/nu8DxbwjN1umKY
8kPG2ud6QUyOAcADT6VhRMxb1pW4vyCHj4pPM1B6G1i4s1PmfrzBjsroIH6vdnji
o79Qwc4ssxdR9vgv1QlNCOmVqtSyLJltgcF3//2WyRywMG82c+jFQsWlXFdcw/SI
Seu87mmqh/qvVNXU1X6LGIWv7bPfUhNqFJAFLjvliBr+rUSqA2UgaswfTaF8aBd2
22PzRPAaZ3M1NPsnhIepD29wPq1rwOyLImPP6ua9rEQyvNXDXwG+eEkKY8AzDag7
gBsNvveb+ay7fneuiwbQ1hGuBbUPpzw1PljxMBoEoAuWO66oUuO6YT9xO8E/qGDW
G2+0kTDXYzAAMmZfxarCigDS2WH8Qiht1y7qifqrP5+bxv5245vCz9QJHe1i9rRD
lou7dBfyJYbImuFOoEUORcNJiKvvg71B6NLcVGyAlpp0rVy52RSVFI2nXGmenuQ8
YKI7VYMn2ZR+pRz73DMn1RrzlZ+ElTHlvVDUszMqdgzn6OeY65sYcqHiFVF7V8Bi
F+s2hDMGZd1s
=dEuj
-----END PGP SIGNATURE-----

Message #44 received at 864447-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 864447-close@bugs.debian.org

Subject: Bug#864447: fixed in tomcat8 8.0.14-1+deb8u10

Date: Sat, 24 Jun 2017 21:19:18 +0000

Source: tomcat8
Source-Version: 8.0.14-1+deb8u10

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Jun 2017 20:26:44 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u10
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 864447
Changes:
 tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5664.
     The error page mechanism of the Java Servlet Specification requires that,
     when an error occurs and an error page is configured for the error that
     occurred, the original request and response are forwarded to the error
     page. This means that the request is presented to the error page with the
     original HTTP method. If the error page is a static file, expected
     behaviour is to serve content of the file as if processing a GET request,
     regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
     did not do this. Depending on the original request this could lead to
     unexpected and undesirable results for static error pages including, if the
     DefaultServlet is configured to permit writes, the replacement or removal
     of the custom error page. (Closes: #864447)
Checksums-Sha1:
 6f99e5326b8cafe987e4cbee2341809e5052b2f6 3013 tomcat8_8.0.14-1+deb8u10.dsc
 e5b7ab130945d00d0bd92739e92dc3f036f145c4 77852 tomcat8_8.0.14-1+deb8u10.debian.tar.xz
 c46e4265dab09229ca4df9422c25c6e0a34fb4c8 58388 tomcat8-common_8.0.14-1+deb8u10_all.deb
 a83c5f514408b0ab1745d48f673179f0d96b51c2 48120 tomcat8_8.0.14-1+deb8u10_all.deb
 bb7d6eb8251b17024dcedd08b49ec92f058c0c71 35558 tomcat8-user_8.0.14-1+deb8u10_all.deb
 44e8be7ae7b2c173c5f2722452e05f3a5f6627d2 4592508 libtomcat8-java_8.0.14-1+deb8u10_all.deb
 53c333eb3282fed4a42f73663ff82f78cef46d81 392968 libservlet3.1-java_8.0.14-1+deb8u10_all.deb
 68017d2f8ce71ab61523e21a7ed4eb9767faa7f7 247930 libservlet3.1-java-doc_8.0.14-1+deb8u10_all.deb
 399dcc94d86245c15dc836161ff2b6215ef34933 36988 tomcat8-admin_8.0.14-1+deb8u10_all.deb
 486e5fdab33499b6a5b1085b38ee7bd2e4eba907 194830 tomcat8-examples_8.0.14-1+deb8u10_all.deb
 2fd45827426af6ce16671bcd569004f0334c5d5e 690056 tomcat8-docs_8.0.14-1+deb8u10_all.deb
Checksums-Sha256:
 a9b7bceacff85893701c290ff24dbca64c98bee34d4b0da3459194029d0a5d56 3013 tomcat8_8.0.14-1+deb8u10.dsc
 e43fc24db9446eba1bf8b68e8c031b71ccef26b0695188fb05c1ccaa3d516042 77852 tomcat8_8.0.14-1+deb8u10.debian.tar.xz
 a1fef9265283f21f99f641fb9890ec3337f5ea1fd59795551164a1396ecb025a 58388 tomcat8-common_8.0.14-1+deb8u10_all.deb
 c6cacc3a0c400da43c76e3067f5ffff9c0e070b2d1d66ee178f855a11cd9b2f4 48120 tomcat8_8.0.14-1+deb8u10_all.deb
 17728d81b3393c98013aa879d9bd1811bdea766a859b5269ac975fe2c30f9d41 35558 tomcat8-user_8.0.14-1+deb8u10_all.deb
 e0d19dc72d527bc2c8df6877d56255fd132812ee57261072848c165e807abc40 4592508 libtomcat8-java_8.0.14-1+deb8u10_all.deb
 58e2041b84de498ac6971cbd44aa96d3e706e7a32d260bedee7fccf896f994e6 392968 libservlet3.1-java_8.0.14-1+deb8u10_all.deb
 fc1cf9b33d5832978f75876e3fe642566115802a6e07106d4315aed982c1c5f9 247930 libservlet3.1-java-doc_8.0.14-1+deb8u10_all.deb
 869d729b1d52be7a13bfd57b94f9d5a13527233ec0358674157faa3a48de13c9 36988 tomcat8-admin_8.0.14-1+deb8u10_all.deb
 67362674e90e9e07aab912a26737c1290114af069aa1c3ed30868c31e545f278 194830 tomcat8-examples_8.0.14-1+deb8u10_all.deb
 d6a1e5a113c5396d68b801d25422b364463bdcdfc7e74ad46be8e7b490eed500 690056 tomcat8-docs_8.0.14-1+deb8u10_all.deb
Files:
 fef02d27967ab21df4c12e6dc2f49c15 3013 java optional tomcat8_8.0.14-1+deb8u10.dsc
 ec911468b97612986c65c4a04fcd9d46 77852 java optional tomcat8_8.0.14-1+deb8u10.debian.tar.xz
 a7fefff5e159e54ce79d0d2e54ccc1b4 58388 java optional tomcat8-common_8.0.14-1+deb8u10_all.deb
 e02d0608b563245910b34f32995a6ed4 48120 java optional tomcat8_8.0.14-1+deb8u10_all.deb
 e7e27e763866442697073b90b2de9f91 35558 java optional tomcat8-user_8.0.14-1+deb8u10_all.deb
 fb62929705dbe47cf4972b525e890ea1 4592508 java optional libtomcat8-java_8.0.14-1+deb8u10_all.deb
 cb959fb2271ff903e6d5c79cfcc94c56 392968 java optional libservlet3.1-java_8.0.14-1+deb8u10_all.deb
 c9e8a2ca571525f9956609f91ea2ce66 247930 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u10_all.deb
 529f3b30dd29da0b4d0bf3d8dec83218 36988 java optional tomcat8-admin_8.0.14-1+deb8u10_all.deb
 a03a32e2e8b4636f480a0dd5a9f421aa 194830 java optional tomcat8-examples_8.0.14-1+deb8u10_all.deb
 5e8dccb7e192ceff4c28cd1ea0a5b2f9 690056 doc optional tomcat8-docs_8.0.14-1+deb8u10_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllJapFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkAqcP+wTqJLJFzjIUVGcnTk7JecTv7/aHbqbompXN
kbhRBMzwHEPvRcTM+c0q3cnmi/h4RracpD1LCm3N6gjgGo3mWm/qqHSf2zJxEwNy
qDdsqAJxRYi39t0Cqnre2Z5Q5OBrhcIrb3TXGd7CES9XTVreq1QO8hTTBOmQY6JS
SjqYef2yJQFv3RKC1/vKqt/Sd+cpshfGTinz74d8mw2rOz0P2wd0K/hkPahbJM1r
30XWZX+A05Wq/YvXK5aq2aVKn1A8UHhnnK3q555OaS1Khg/KqqXRzSeDum2U65IU
PtkvQ9aRs8XfvqpHnJlpzlOi0zLT5tWcFk0VIMmjkAI2HUb9J2KDuMHID6iw5pj6
27ZaDMrHrykNIXEUFF9flFXt1nVZm4C6oKeYzPfEW1z6sS0as/QHdE/FAnXAzJgH
iq7syumJmf0ZEt80uR4ylRkWnKpM+GCp0TM/Pjki/IZ/QP4mOXnow4kg4+D5K4KT
CDKycRD77VRluJ3Ncpd+7wmPaGQ6LRQDUhFGLy2CsihnGfL1lRH615fpoagayI+S
v0xLQfGr5aJeikdPq1Ska5xs0Rt5C/lnvKc+jjizx7q3Waqmzp0Hls3n0gK//W2x
CmWxa2f71NcQrnrKkJjw7ENhm6oENBgasdZfZIDgQ7EHIcII8ESA67SxvuY7o9TE
jnq75SKG
=QZaQ
-----END PGP SIGNATURE-----

Message #49 received at 864447-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 864447-close@bugs.debian.org

Subject: Bug#864447: fixed in tomcat7 7.0.56-3+deb8u11

Date: Sat, 24 Jun 2017 21:19:17 +0000

Source: tomcat7
Source-Version: 7.0.56-3+deb8u11

We believe that the bug you reported is fixed in the latest version of
tomcat7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated tomcat7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Jun 2017 20:10:32 +0200
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7    - Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Closes: 864447
Changes:
 tomcat7 (7.0.56-3+deb8u11) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5664.
     The error page mechanism of the Java Servlet Specification requires that,
     when an error occurs and an error page is configured for the error that
     occurred, the original request and response are forwarded to the error
     page. This means that the request is presented to the error page with the
     original HTTP method. If the error page is a static file, expected
     behaviour is to serve content of the file as if processing a GET request,
     regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
     did not do this. Depending on the original request this could lead to
     unexpected and undesirable results for static error pages including, if the
     DefaultServlet is configured to permit writes, the replacement or removal
     of the custom error page. (Closes: #864447)
Checksums-Sha1:
 939d4a334454dcf7f7f4c114f256a0afdef4923e 2929 tomcat7_7.0.56-3+deb8u11.dsc
 61e081f1c2ba4daf7673fc55bffd4502c47d4661 96236 tomcat7_7.0.56-3+deb8u11.debian.tar.xz
 c01869d335c98cf6f03c6aa7e0b45b41baed98a1 64496 tomcat7-common_7.0.56-3+deb8u11_all.deb
 86433fabed4861cc2fa144360ed969e893452f94 53466 tomcat7_7.0.56-3+deb8u11_all.deb
 1f1e6b8a75c8b69ae2281f84910d7840a30c51bb 40896 tomcat7-user_7.0.56-3+deb8u11_all.deb
 bee90e719113503208526733525957ad36749df6 3633608 libtomcat7-java_7.0.56-3+deb8u11_all.deb
 69cdb4a056b89df87fea2e0911d75ca938023d93 316844 libservlet3.0-java_7.0.56-3+deb8u11_all.deb
 0eafbaaee0fbbb315b49ef73b06e65b268575a5e 207024 libservlet3.0-java-doc_7.0.56-3+deb8u11_all.deb
 793b29b4fc00caaa5735e60b58b5b68956ac1e27 41882 tomcat7-admin_7.0.56-3+deb8u11_all.deb
 24902e3366d3ba7f5320213e44f878e7dec8e6c3 199950 tomcat7-examples_7.0.56-3+deb8u11_all.deb
 2f1a371274bf1751f6aa9f5ac148c20adeaf6eac 605998 tomcat7-docs_7.0.56-3+deb8u11_all.deb
Checksums-Sha256:
 43d09ed416f64325de238e38754dc846a5a83268653d653569ac769a1d88c980 2929 tomcat7_7.0.56-3+deb8u11.dsc
 75f5cc97f9619ca614f1a8b14d6d404639dad1da6355107c78998d708aae0a66 96236 tomcat7_7.0.56-3+deb8u11.debian.tar.xz
 7cbdba90cb90b53de06dbf4fa4a3faa2db26c0eb043023c1bed19ba19eeddb06 64496 tomcat7-common_7.0.56-3+deb8u11_all.deb
 8b02869403c7f0ff391b0c380b4c6a96f5076beafceaa36b056db6836ba0e367 53466 tomcat7_7.0.56-3+deb8u11_all.deb
 f357ddff6ee36db7cf23aa9c606678996147fcae1cfec4aed5c48b95190e8441 40896 tomcat7-user_7.0.56-3+deb8u11_all.deb
 9b43105fbbe9d881815c66a79ccd4feabe15f8dd90d691b78d52decf06d51733 3633608 libtomcat7-java_7.0.56-3+deb8u11_all.deb
 e8326e6df4f68c5706be7181a9add071db17c9fdc0bdd4e251fa7dfcb28d92b6 316844 libservlet3.0-java_7.0.56-3+deb8u11_all.deb
 1ab06d1470f469f54584f28324b14f44c67cbbe9b1de99fcd9cde41eadee157c 207024 libservlet3.0-java-doc_7.0.56-3+deb8u11_all.deb
 5aaae5b92ac6bc7d91499c278aeb466cbf985f589698a62647bb7931849bece6 41882 tomcat7-admin_7.0.56-3+deb8u11_all.deb
 33ac8b25c92f418d8cc030920b526fdf939dee3d6c80d495c815131b8aa8bfe2 199950 tomcat7-examples_7.0.56-3+deb8u11_all.deb
 9a25c25d233bd08edd662af3efbfbd781a28192edefc71325bebb6ecdb8980d3 605998 tomcat7-docs_7.0.56-3+deb8u11_all.deb
Files:
 717f5793bb4541887183d384b207df8a 2929 java optional tomcat7_7.0.56-3+deb8u11.dsc
 f41f9cfa9566ff45cdd5770210232657 96236 java optional tomcat7_7.0.56-3+deb8u11.debian.tar.xz
 e623e1773c6ad78ca8cdb78a0a0fb57d 64496 java optional tomcat7-common_7.0.56-3+deb8u11_all.deb
 689ce1a74b0644ef3ec1eb493505cdba 53466 java optional tomcat7_7.0.56-3+deb8u11_all.deb
 32f53491a5d2e47bec84d1038011ac02 40896 java optional tomcat7-user_7.0.56-3+deb8u11_all.deb
 c87d3519c9a67bab96386cee121ab417 3633608 java optional libtomcat7-java_7.0.56-3+deb8u11_all.deb
 364a6933ef97a89afe6342c66ccfe30e 316844 java optional libservlet3.0-java_7.0.56-3+deb8u11_all.deb
 264526e5b2e90ab534b8a37681c2e95c 207024 doc optional libservlet3.0-java-doc_7.0.56-3+deb8u11_all.deb
 bdcf862411c8d8371014a0147de2cfb2 41882 java optional tomcat7-admin_7.0.56-3+deb8u11_all.deb
 4e3daaedfb565f4279fab71e92962835 199950 java optional tomcat7-examples_7.0.56-3+deb8u11_all.deb
 53a84668ac5984cefd64fb3f48927638 605998 doc optional tomcat7-docs_7.0.56-3+deb8u11_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllJaMZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkIecP/RMhXnq9qZE+iXSYQVVp/wxTGdMns5KY+xTE
akmgUXn2vGvlr0xO+zC7O4qypwPf5LDTJLq3KFHmmzqUKxCzWLqaKpKy22ln58rj
QmgDQRXItnt52ETcfazftSlFCxsXA2A4bKWvPBzuN9ERRiT64iTjHA9Ml7XmQdpT
fLi9ogmnYuQuD4xdAtWgmWE9VxMQMdK3EoFFGuuLdEjeEa1g60GGDImjTy9+4N4l
o7JDxzzlOR53s9XEk+45Sx5Fi3hf7A7oeJ1QZhFHguazBZQUDAlGpB4+dCrSwvS9
uMaymHqJHJA9+kNxQ+RqEfWhvYLIAqERIYH2WOzHMmiQ7MHX4P1kjiS2CHquHPkQ
STGj0VkdjFYIaEndeco15Zjc77G9R/DdWFHyAp2/jB2PSaZmA4gjWOvvXp+aS44E
JE52RiCc8TJdKL2ty8RyWo/FxFtuHNv3ykNN4qXak7bHeWvwC1160dZQUf/9m5HY
LssJJ3nXR8ejuVLNgj/IJUlRRWu5v7/yvdRb76DjoNQMeFV+EEVX4CSxiTJclAcP
TIWEqJJNeB1usnlA0ZdCap2notbPGVg9Kk0FBIH29b6O1DQDRm6GuavYxdR52clT
Y8dpmwYG5UUzrb8/Peb9675t6F5stbWZWqvk3K23QNWsb5Cdxk6Gh0Y45fUfQCjt
M7yQWxZo
=7xWr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.