tomcat8 use 100% cpu time

Debian Bug report logs - #851304
tomcat8 use 100% cpu time

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: tomcat8
Version: 8.0.14-1+deb8u6
Severity: important

Dear Maintainer,

I noticed a bump in CPU load up to 100% per CPU.
It appear from tomcat8-8.0.14-1+deb8u4 and up.

Here how to create the bug.

http://localhost:8080, no problem.
https://localhost:8443, no problem (need to create a certificate).
https://localhost:8080, 100% cpu load.

I use default config coming from stable without any modification to them.
The problem still exist.

If it can help, I tried with apache-tomcat-8.0.39 from apache's site and
the server operate normaly even if I try the requests above.

RickLinux

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat8 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat8-common         8.0.14-1+deb8u6
ii  ucf                    3.0030

Versions of packages tomcat8 recommends:
ii  authbind  2.1.1

Versions of packages tomcat8 suggests:
pn  libtcnative-1     <none>
pn  tomcat8-admin     <none>
pn  tomcat8-docs      <none>
pn  tomcat8-examples  <none>
pn  tomcat8-user      <none>

-- debconf information:
  tomcat8/groupname: tomcat8
  tomcat8/javaopts: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC
  tomcat8/username: tomcat8

---

Message #10 received at 851304@bugs.debian.org (full text, mbox, reply):

Dear Maintainer,


I can confirm the observations of RickLinux.

I have observed the exact same behaviour on several debian-hosts, that
are running Jessie with the version 8.0.14-1+deb8u6 of the
tomcat-packages (and also u4 and u5).


In my case, the effect is triggered by scans, that hit the servers that
I am administering at random. Each scan can be seen in the LOG-files
with an entry like:

62.210.246.66 - - [18/Jan/2017:16:20:16 +0100] "-" 400 -

Each hit leads to one cpu hogging 100%. Hence, if the machine has only
one cpu, one hit leads to an DOS, if it has for example 8 cpu's, 8 hits
are needed.

At first glance, I thought, that the scans are running a specialized
DOS-attack. But after I read the bug-report of RickLinux I produced the
exact same behaviour with an https-GET on the port, where tomcat is
listening for http-connections.

Like RickLinux I also tested a vanilla 8.0.14 Tomcat and found, that it
does not show this behavior.


Kind Regards

Kai Moritz

-- 
juplo
Inhaber: Kai Moritz

Tel: +49 (0)176 20 50 47 47
kai@juplo.de
http://juplo.de

---

Message #15 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: forwarded -1 https://bz.apache.org/bugzilla/show_bug.cgi?id=60578

I am marking this bug as forwarded in case someone is wondering about
the current progress. Apparently Emmanuel is already working on an update.

[signature.asc (application/pgp-signature, attachment)]

---

Message #22 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Looks like this is the proposed upstream fix:

https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

[signature.asc (application/pgp-signature, attachment)]

---

Message #27 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, 13 Jan 2017 15:16:51 -0500 RickLinux <linuxtr3@gmail.com> wrote:
> Package: tomcat8
> Version: 8.0.14-1+deb8u6
> Severity: important
> 
> Dear Maintainer,
> 
> I noticed a bump in CPU load up to 100% per CPU.
> It appear from tomcat8-8.0.14-1+deb8u4 and up.
> 
> Here how to create the bug.
> 
> http://localhost:8080, no problem.
> https://localhost:8443, no problem (need to create a certificate).
> https://localhost:8080, 100% cpu load.

Hi Emannuel,

it appears that Tomcat 7 and 8 in Jessie and Wheezy are affected by this
bug. Are you still working on it or shall I prepare updates for
-security based on the upstream patch from

https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #32 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 08.02.2017 19:12, Emmanuel Bourg wrote:
> Le 8/02/2017 à 15:52, Markus Koschany a écrit :
> 
>> it appears that Tomcat 7 and 8 in Jessie and Wheezy are affected by this
>> bug. Are you still working on it or shall I prepare updates for
>> -security based on the upstream patch from
>>
>> https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2
> 
> Hi Markus,
> 
> Feel free to prepare the update, I'm rather busy atm and I won't be able
> to work on this before this weekend. I was considering uploading a
> stable update but it won't be immediately available. A security update
> would be faster but I don't know if the security team would accept it.
> 

Alright. I'll take care of it tomorrow and get in touch with the
security team.

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #37 received at 851304@bugs.debian.org (full text, mbox, reply):

Le 8/02/2017 à 15:52, Markus Koschany a écrit :

> it appears that Tomcat 7 and 8 in Jessie and Wheezy are affected by this
> bug. Are you still working on it or shall I prepare updates for
> -security based on the upstream patch from
> 
> https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

Hi Markus,

Feel free to prepare the update, I'm rather busy atm and I won't be able
to work on this before this weekend. I was considering uploading a
stable update but it won't be immediately available. A security update
would be faster but I don't know if the security team would accept it.

Emmanuel Bourg

---

Message #42 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello,

thank you for reporting this bug. We think we have found a solution for
this issue. I have uploaded new binary packages of Tomcat 8 for Debian
Jessie to [1] and a debdiff in case you prefer to build the package from
source. We would appreciate it if you could test those packages and tell
us if they fix your cpu load problem.

[1] https://people.debian.org/~apo/tomcat8/

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #47 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I will give it a try as soon as possible.

I would be glad to help

RickLinux

On Feb 9, 2017 8:28 PM, "Markus Koschany" <apo@debian.org> wrote:

> Hello,
>
> thank you for reporting this bug. We think we have found a solution for
> this issue. I have uploaded new binary packages of Tomcat 8 for Debian
> Jessie to [1] and a debdiff in case you prefer to build the package from
> source. We would appreciate it if you could test those packages and tell
> us if they fix your cpu load problem.
>
> [1] https://people.debian.org/~apo/tomcat8/
>
> Regards,
>
> Markus
>
>

[Message part 2 (text/html, inline)]

---

Message #52 received at 851304@bugs.debian.org (full text, mbox, reply):

Hi Markus,


I installed the updated packages (in my case only: libtomcat8-java, 
tomcat8-common and tomcat8) on three different servers. My private one, 
that serves only my own little projects, a test-server and a redundant 
production server at work.

It looks like they fix the reported issue on all three hosts and every 
thing else works as expected.

I will keep monitoring the servers and report back, if I encounter 
anything strange.

Some days later I will also install the fixed packages on our 
production-server at work, if nothing has shown up on the servers, where 
the packages are already installed.

By the way:
During the installation of the three packages I noticed, that one of the 
three hosts has been vulnarable to the bug, even though the access to 
the HTTP-connector was restricted to one special client. That means, the 
bug can be exploited, even if one restricts the access to the port in 
the server.xml.


Regards,

kai

Am 10.02.2017 um 02:28 schrieb Markus Koschany:
> Hello,
>
> thank you for reporting this bug. We think we have found a solution for
> this issue. I have uploaded new binary packages of Tomcat 8 for Debian
> Jessie to [1] and a debdiff in case you prefer to build the package from
> source. We would appreciate it if you could test those packages and tell
> us if they fix your cpu load problem.
>
> [1] https://people.debian.org/~apo/tomcat8/
>
> Regards,
>
> Markus
>

-- 
juplo
Inhaber: Kai Moritz

Tel: +49 (0)176 20 50 47 47
kai@juplo.de
http://juplo.de

---

Message #57 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 12.02.2017 11:24, Kai Moritz wrote:
> Hi Markus,
> 
> 
> I installed the updated packages (in my case only: libtomcat8-java,
> tomcat8-common and tomcat8) on three different servers. My private one,
> that serves only my own little projects, a test-server and a redundant
> production server at work.
> 
> It looks like they fix the reported issue on all three hosts and every
> thing else works as expected.

That's great to hear. Thank you very much Kai for taking your time to
test the packages and getting back to us.

Best,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #62 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
the issue is related to our latest security updates. We would like to
address this regression as soon as possible because this one can be
triggered remotely and cause a denial-of-service.

I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
will update the changelogs later.

Regards,

Markus

[tomcat7.debdiff (text/plain, attachment)]

[tomcat8.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

---

Message #67 received at 851304@bugs.debian.org (full text, mbox, reply):

On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> Hi,
> 
> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> the issue is related to our latest security updates. We would like to
> address this regression as soon as possible because this one can be
> triggered remotely and cause a denial-of-service.
> 
> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> will update the changelogs later.

Thanks, please upload.

Cheers,
        Moritz

---

Message #72 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
>> the issue is related to our latest security updates. We would like to
>> address this regression as soon as possible because this one can be
>> triggered remotely and cause a denial-of-service.
>>
>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
>> will update the changelogs later.
> 
> Thanks, please upload.

Thanks. Uploaded.

[signature.asc (application/pgp-signature, attachment)]

---

Message #75 received at 851304@bugs.debian.org (full text, mbox, reply):

tag 851304 + pending
thanks

Some bugs in the tomcat8 package are closed in revision
401af63dfb55e4153aba434d2e6f5d973f01e4cd in branch '  jessie' by
Markus Koschany

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=401af63

Commit message:

    Import Debian changes 8.0.14-1+deb8u7
    
    tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high
    
      * Team upload.
      * Add BZ57544-infinite-loop.patch: It was found that https GET requests could
        trigger an infinite loop and thus cause a denial-of-service.
        (Closes: #851304)

---

Message #85 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I tried the updated package and it work well.

RickLinux

-------- Original Message --------
From:Markus Koschany <apo@debian.org>
Sent:Thu, 09 Feb 2017 20:28:53 -0500
To:linuxtr3@gmail.com,kai@juplo.de
Cc:851304@bugs.debian.org
Subject:Re: tomcat8 use 100% cpu time

>Hello,
>
>thank you for reporting this bug. We think we have found a solution for
>this issue. I have uploaded new binary packages of Tomcat 8 for Debian
>Jessie to [1] and a debdiff in case you prefer to build the package from
>source. We would appreciate it if you could test those packages and tell
>us if they fix your cpu load problem.
>
>[1] https://people.debian.org/~apo/tomcat8/
>
>Regards,
>
>Markus
>

[Message part 2 (text/html, inline)]

---

Message #94 received at 851304-submitter@bugs.debian.org (full text, mbox, reply):

close 851304 8.0.14-1+deb8u7
thanks

---

Message #101 received at 851304@bugs.debian.org (full text, mbox, reply):

Hi Markus, hi Emmanuel,

On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> > On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> >> Hi,
> >>
> >> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> >> the issue is related to our latest security updates. We would like to
> >> address this regression as soon as possible because this one can be
> >> triggered remotely and cause a denial-of-service.
> >>
> >> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> >> will update the changelogs later.
> > 
> > Thanks, please upload.
> 
> Thanks. Uploaded.

Btw, I requested a CVE for this issue and it got assigned
CVE-2017-6056.

Regards,
Salvatore

---

Message #106 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 17.02.2017 22:09, Salvatore Bonaccorso wrote:
> Hi Markus, hi Emmanuel,
> 
> On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
>> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
>>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
>>>> Hi,
>>>>
>>>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
>>>> the issue is related to our latest security updates. We would like to
>>>> address this regression as soon as possible because this one can be
>>>> triggered remotely and cause a denial-of-service.
>>>>
>>>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
>>>> will update the changelogs later.
>>>
>>> Thanks, please upload.
>>
>> Thanks. Uploaded.
> 
> Btw, I requested a CVE for this issue and it got assigned
> CVE-2017-6056.

Hi Salvatore,

Thank you. However apparently the fix was not complete. We received two
reports that the server returns 400 errors under certain circumstances. [1]
We need to prepare a regression update and the suggested fix is [2].
Sorry for the inconvenience.

Regards,

Markus


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551#59
[2]
https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9.patch

[signature.asc (application/pgp-signature, attachment)]

---

Message #111 received at 851304-submitter@bugs.debian.org (full text, mbox, reply):

close 851304 8.0.21-1
thanks

---

Message #116 received at 851304@bugs.debian.org (full text, mbox, reply):

Hi Markus,

On Fri, Feb 17, 2017 at 10:19:18PM +0100, Markus Koschany wrote:
> On 17.02.2017 22:09, Salvatore Bonaccorso wrote:
> > Hi Markus, hi Emmanuel,
> > 
> > On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
> >> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> >>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> >>>> Hi,
> >>>>
> >>>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> >>>> the issue is related to our latest security updates. We would like to
> >>>> address this regression as soon as possible because this one can be
> >>>> triggered remotely and cause a denial-of-service.
> >>>>
> >>>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> >>>> will update the changelogs later.
> >>>
> >>> Thanks, please upload.
> >>
> >> Thanks. Uploaded.
> > 
> > Btw, I requested a CVE for this issue and it got assigned
> > CVE-2017-6056.
> 
> Hi Salvatore,
> 
> Thank you. However apparently the fix was not complete. We received two
> reports that the server returns 400 errors under certain circumstances. [1]
> We need to prepare a regression update and the suggested fix is [2].
> Sorry for the inconvenience.

No problem. Thanks for noticing, can you let us know as usual when you
have a debdiff ready for the regression update?

I tend to see this as regression update for the previous DSA, so no
need for a new CVE id. But let me know if someone thinks otherwise and
I can followup with MITRE.

Thanks for your coninous work,

Regards,
Salvatore

---

Message #121 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 18.02.2017 13:21, Salvatore Bonaccorso wrote:
[...]
> No problem. Thanks for noticing, can you let us know as usual when you
> have a debdiff ready for the regression update?
> 
> I tend to see this as regression update for the previous DSA, so no
> need for a new CVE id. But let me know if someone thinks otherwise and
> I can followup with MITRE.
> 
> Thanks for your coninous work,

I agree this is a regression update. Please find attached the debdiffs
for Tomcat 7 and Tomcat 8.

Regards,

Markus

[tomcat7.debdiff (text/plain, attachment)]

[tomcat8.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

---

Message #126 received at 851304-close@bugs.debian.org (full text, mbox, reply):

Source: tomcat8
Source-Version: 8.0.14-1+deb8u7

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 Feb 2017 10:34:43 +0100
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u7
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 851304
Changes:
 tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high
 .
   * Team upload.
   * Add BZ57544-infinite-loop.patch: It was found that https GET requests could
     trigger an infinite loop and thus cause a denial-of-service.
     (Closes: #851304)
Checksums-Sha1:
 ad801caf803c9820c66ecd071a7aaecf53c5d160 3009 tomcat8_8.0.14-1+deb8u7.dsc
 d4eba068b1b95f26be02e5d7e998f569283ea9bd 72416 tomcat8_8.0.14-1+deb8u7.debian.tar.xz
 b44b991342a39939e422e212934ff020e39ea679 57676 tomcat8-common_8.0.14-1+deb8u7_all.deb
 e9387c145ec1b39b76d9008522eb6a5eaedfaef2 47366 tomcat8_8.0.14-1+deb8u7_all.deb
 ce788186664d6ab1db1edf79b8b3bd298a9a8fe3 34832 tomcat8-user_8.0.14-1+deb8u7_all.deb
 5ecc8a682fa9d97b13d25c6459f371255481dd1a 4586942 libtomcat8-java_8.0.14-1+deb8u7_all.deb
 dff0b1425356c07397fc90d3690a396ec6c4f2c3 392178 libservlet3.1-java_8.0.14-1+deb8u7_all.deb
 7d08b1e269cb36be01a659fdb99633bf5d1fc674 247160 libservlet3.1-java-doc_8.0.14-1+deb8u7_all.deb
 b1bcb423ec24322bb834f67456756497704dc6f6 36248 tomcat8-admin_8.0.14-1+deb8u7_all.deb
 0e2244c119d3cae411a2c26001d86e8691132252 194100 tomcat8-examples_8.0.14-1+deb8u7_all.deb
 a66a44a8c1051596801dd7f41d513c42509629cc 689316 tomcat8-docs_8.0.14-1+deb8u7_all.deb
Checksums-Sha256:
 bb2c407ee33084d20a24538aa7527fd91481bc9f2a76dd98a716ab3342c31bac 3009 tomcat8_8.0.14-1+deb8u7.dsc
 92a7b95bedf757e57da0effbf0b42bbd519bd38b03fdad076f548b15e793debe 72416 tomcat8_8.0.14-1+deb8u7.debian.tar.xz
 a48f1f034f6060ae6f4b2d99728f93693a107fad2b8d850be13c1e89c88bb595 57676 tomcat8-common_8.0.14-1+deb8u7_all.deb
 1843c9d3b3a27d587cccd1130ea2721d6855d764881d00a5186c625e457a8655 47366 tomcat8_8.0.14-1+deb8u7_all.deb
 4f4fcf90ea4174126d6e41f2ef3599caacad6ec9444366ee1b0283e4007420ee 34832 tomcat8-user_8.0.14-1+deb8u7_all.deb
 92b6e954b33ba11cf1c618a299fdd85ec23ced629f9ef8be5e4c5eadd3b68c41 4586942 libtomcat8-java_8.0.14-1+deb8u7_all.deb
 db979d839cd82e2e3b4021669e0de7b63fad1959d1c76c153f07ea13c893590d 392178 libservlet3.1-java_8.0.14-1+deb8u7_all.deb
 9cdb44582c4f4d63776cd28cd61ae9cdf9e73d641d40ad77e16e0d023992f56f 247160 libservlet3.1-java-doc_8.0.14-1+deb8u7_all.deb
 27ef186fbe1679d7dffff5be1c0782a74d2fde3f3020f5c14795223444fbeb88 36248 tomcat8-admin_8.0.14-1+deb8u7_all.deb
 4aaadc98d566d909f5db163a4d8f8b6f0f4e367a30769b39ccd0a167edbb11a4 194100 tomcat8-examples_8.0.14-1+deb8u7_all.deb
 07e0255e4bc79281d7d92871dcf1112cbda38b2489a8a31240b79086c951a61e 689316 tomcat8-docs_8.0.14-1+deb8u7_all.deb
Files:
 ca4ce1bb8977f24a5c40bb1151c27656 3009 java optional tomcat8_8.0.14-1+deb8u7.dsc
 cf0a615e8ffdb54464b7cfc0cf48200a 72416 java optional tomcat8_8.0.14-1+deb8u7.debian.tar.xz
 8b6fdb01f101586aa06d545b6b66acec 57676 java optional tomcat8-common_8.0.14-1+deb8u7_all.deb
 3a9b23257681ab8476dd4ffe1fc0bcca 47366 java optional tomcat8_8.0.14-1+deb8u7_all.deb
 efef3e469e8dfe1d1cfe2a98e399965a 34832 java optional tomcat8-user_8.0.14-1+deb8u7_all.deb
 8c7817e692dd8c32022fd2a3edf8b90e 4586942 java optional libtomcat8-java_8.0.14-1+deb8u7_all.deb
 4f19ab7550d7ad02916688cef8190ebc 392178 java optional libservlet3.1-java_8.0.14-1+deb8u7_all.deb
 519007d996a0a6df5c1db94bc4fb0252 247160 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u7_all.deb
 ed4de864b2755f528cb9a7e01ec65b3e 36248 java optional tomcat8-admin_8.0.14-1+deb8u7_all.deb
 247a244cae7d43a4dd4d20a0123fabb3 194100 java optional tomcat8-examples_8.0.14-1+deb8u7_all.deb
 737a0c72df568d35d15e8b4eadc182fc 689316 doc optional tomcat8-docs_8.0.14-1+deb8u7_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlihf5xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkOg4P/2nrYthl7K3dzWeBGhMYSYPr1eRyml66gJsm
g364J4B3NR38SGglz/TkTAr7xXWKSrl+zPoJvZctBgcwUSiamoVVhW5IEJK39gfq
0G1ZKuDmktKo3UqS1oAs//8YaiTsUcTfwbDDhZ4HgDlVdSXu04vTAU3RrpYHICc+
OHaexqJQyhevOWyVF34Fzk/wuAPQQ48NayHVUqjGugjX77e9vJqgCLdO9M9UI5kp
A7A3ilhDxfJSTsOdiU/7w2JNwI/wns4lrPK3RvYWy1IrlVDrmgeD7SR4rR1tveRq
hsWSA8+u7K+azIJVnigWYPaY6gkk0noDA+y9Lxg0Ok8ZzHhIPN89nPMz7TOuTbxR
pJ5voHtrv4DdwlkFfeBzaTSXAln8FMKiqkXrbZ3spvcGOcRjZ12dRrQNufCwanqU
mP1cIvrA0nlS3Zwxy7hkt3u1KVYYIojxOk5EMZG+vxaE2HFf3TB9oU38fqsfBuWW
92BZuG344u0VkROzyMcyO+SHbhD1YtZvuCUlozSjS++K61KHNi0y/T4yZxlkLsVp
Ml8qyldXsDuiAPdS2aAeTA0JZuqdJ5XTB+8hDlv1RNmRAD9W8uJ59oBRp4bPbJgY
am10UJzJTri1Ejj9D5TnJHQ9Z41kLiXIbQm6GJtBtofuuJBfdjllG/7jSmpL1lAT
yhWmvzCe
=k+Y+
-----END PGP SIGNATURE-----

---

Message #131 received at 851304@bugs.debian.org (full text, mbox, reply):

Hi Markus,

On Sat, Feb 18, 2017 at 07:53:33PM +0100, Markus Koschany wrote:
> On 18.02.2017 13:21, Salvatore Bonaccorso wrote:
> [...]
> > No problem. Thanks for noticing, can you let us know as usual when you
> > have a debdiff ready for the regression update?
> > 
> > I tend to see this as regression update for the previous DSA, so no
> > need for a new CVE id. But let me know if someone thinks otherwise and
> > I can followup with MITRE.
> > 
> > Thanks for your coninous work,
> 
> I agree this is a regression update. Please find attached the debdiffs
> for Tomcat 7 and Tomcat 8.

Sorry for the delay (due to various circumstances). The fix looks sane
to me. Assuming the fix could have been tested as well, please do
upload to security-master.

Regards and thanks for your work,
Salvatore

---

Message #136 received at 851304@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 20.02.2017 17:45, Salvatore Bonaccorso wrote:
[...]
> Sorry for the delay (due to various circumstances). The fix looks sane
> to me. Assuming the fix could have been tested as well, please do
> upload to security-master.
> 

Hi,

no problem. I have just uploaded both packages to security-master.

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:05:46 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.