Debian Bug report logs -
#898935
tomcat8: CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials'
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#898935; Package src:tomcat8.
(Thu, 17 May 2018 14:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 17 May 2018 14:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tomcat8
Version: 8.5.30-1
Severity: important
Tags: patch security upstream
Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
Hi,
The following vulnerability was published for tomcat8.
CVE-2018-8014[0]:
| The defaults settings for the CORS filter provided in Apache Tomcat
| 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to
| 7.0.88 are insecure and enable 'supportsCredentials' for all origins.
| It is expected that users of the CORS filter will have configured it
| appropriately for their environment rather than using it in the
| default configuration. Therefore, it is expected that most users will
| not be impacted by this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#898935.
(Tue, 22 May 2018 17:51:05 GMT) (full text, mbox, link).
Message #8 received at 898935-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #898935 in tomcat7 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/java-team/tomcat7/commit/6c1605f62663398e1dfcaeac173f4502a52c0d78
------------------------------------------------------------------------
Import Debian changes 7.0.56-3+really7.0.88-1
tomcat7 (7.0.56-3+really7.0.88-1) jessie-security; urgency=high
* Team upload.
* New upstream version 7.0.88.
- Fix CVE-2017-12616, CVE-2017-7674, CVE-2018-1304, CVE-2018-1305 and
CVE-2018-8014. (Closes: #802312, #898935)
* Install the missing WebSocket jars in /usr/share/tomcat7/lib/
(Closes: #787220)
* Remove debian/keystores and use the latest upstream keystores instead.
* Build-Depend on libeasymock-java and libobjenesis-java for improved test
coverage.
* Refresh all patches and drop obsolete CVE security patches.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/898935
Added tag(s) pending.
Request was from apo@debian.org
to 898935-submitter@bugs.debian.org.
(Tue, 22 May 2018 17:51:05 GMT) (full text, mbox, link).
Removed tag(s) pending.
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org.
(Tue, 22 May 2018 18:06:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 14 Jun 2018 17:25:08 GMT) (full text, mbox, link).
Marked as fixed in versions tomcat8/8.5.32.
Request was from Stefano Rivera <stefanor@debian.org>
to control@bugs.debian.org.
(Thu, 05 Jul 2018 23:24:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions tomcat8/8.5.32.
Request was from Stefano Rivera <stefanor@debian.org>
to control@bugs.debian.org.
(Fri, 06 Jul 2018 00:06:02 GMT) (full text, mbox, link).
Marked as fixed in versions tomcat8/8.5.32-1.
Request was from Stefano Rivera <stefanor@debian.org>
to control@bugs.debian.org.
(Fri, 06 Jul 2018 00:06:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#898935; Package src:tomcat8.
(Fri, 24 Aug 2018 07:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bogdan Veringioiu <bogdan.veringioiu@amano.eu>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 24 Aug 2018 07:39:03 GMT) (full text, mbox, link).
Message #25 received at 898935@bugs.debian.org (full text, mbox, reply):
Hello all,
is there any plan to migrate the fix to stretch security ?
I would be interested in the fixes for CVE-2018-1304, CVE-2018-1305
(resolved in 7.0.88, and in 8.5.32-1 testing) which are important for a
security certification (PCI) on our stretch machines.
Thank you,
--
Bogdan Veringioiu
Amano Parking Europe N.V.
Uersfeld 24
52072 Aachen, Germany
e-mail: bogdan.veringioiu@amano.eu
web: www.amano.eu
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#898935; Package src:tomcat8.
(Fri, 24 Aug 2018 11:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 24 Aug 2018 11:33:03 GMT) (full text, mbox, link).
Message #30 received at 898935@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am 24.08.2018 um 09:30 schrieb Bogdan Veringioiu:
> Hello all,
>
> is there any plan to migrate the fix to stretch security ?
>
> I would be interested in the fixes for CVE-2018-1304, CVE-2018-1305
> (resolved in 7.0.88, and in 8.5.32-1 testing) which are important for a
> security certification (PCI) on our stretch machines.
I am currently working on a security update for Tomcat 8 that will also
resolve CVE-2018-1304 and CVE-2018-1305.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#898935; Package src:tomcat8.
(Fri, 24 Aug 2018 22:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 24 Aug 2018 22:09:02 GMT) (full text, mbox, link).
Message #35 received at 898935@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
A security update has been sent to Debian's security team and we expect
that the current open issues in Stretch will be fixed in due time.
Please note that Tomcat 7 in Stretch is not vulnerable to any of those
issues because we only build the servlet API.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#898935; Package src:tomcat8.
(Fri, 24 Aug 2018 22:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 24 Aug 2018 22:09:04 GMT) (full text, mbox, link).
Message #40 received at 898935@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 8.5.32-1
This issue was fixed in 8.5.32-1. I am going to close this bug report now.
Markus
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Fri, 24 Aug 2018 22:15:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 24 Aug 2018 22:15:03 GMT) (full text, mbox, link).
Message #45 received at 898935-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 8.5.32-1
This issue was fixed in 8.5.32-1. I am going to close this bug report
now. (really)
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#898935; Package src:tomcat8.
(Mon, 27 Aug 2018 05:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bogdan Veringioiu <bogdan.veringioiu@amano.eu>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 27 Aug 2018 05:39:03 GMT) (full text, mbox, link).
Message #50 received at 898935@bugs.debian.org (full text, mbox, reply):
Thank you!
Bogdan
On 25.08.2018 00:05, Markus Koschany wrote:
> A security update has been sent to Debian's security team and we expect
> that the current open issues in Stretch will be fixed in due time.
> Please note that Tomcat 7 in Stretch is not vulnerable to any of those
> issues because we only build the servlet API.
>
> Regards,
>
> Markus
>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 13 Oct 2018 07:28:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:37:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon