Debian Bug report logs -
#860070
tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#860070
; Package src:tomcat8
.
(Tue, 11 Apr 2017 04:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 11 Apr 2017 04:48:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tomcat8
Version: 8.5.11-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for tomcat8.
CVE-2017-5650[0]:
|The handling of an HTTP/2 GOAWAY frame for a connection did not close
|streams associated with that connection that were currently waiting for
|a WINDOW_UPDATE before allowing the application to write more data.
|These waiting streams each consumed a thread. A malicious client could
|therefore construct a series of HTTP/2 requests that would consume all
|available processing threads.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5650
Regards,
Salvatore
Marked as found in versions tomcat8/8.0.14-1.
Request was from Markus Koschany <apo@debian.org>
to 860068-submit@bugs.debian.org
.
(Tue, 11 Apr 2017 14:18:09 GMT) (full text, mbox, link).
Owner recorded as Markus Koschany <apo@debian.org>.
Request was from Markus Koschany <apo@debian.org>
to 860068-submit@bugs.debian.org
.
(Tue, 11 Apr 2017 14:18:13 GMT) (full text, mbox, link).
Changed Bug title to 'tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651' from 'tomcat8: CVE-2017-5650'.
Request was from Markus Koschany <apo@debian.org>
to 860068-submit@bugs.debian.org
.
(Wed, 12 Apr 2017 09:57:07 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Markus Koschany <apo@debian.org>
to 860068-submit@bugs.debian.org
.
(Wed, 12 Apr 2017 09:57:09 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org
.
(Wed, 12 Apr 2017 12:12:15 GMT) (full text, mbox, link).
Message #18 received at 860068-close@bugs.debian.org (full text, mbox, reply):
Source: tomcat8
Source-Version: 8.5.11-2
We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860068@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated tomcat8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 12 Apr 2017 09:58:46 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source
Version: 8.5.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
tomcat8 - Apache Tomcat 8 - Servlet and JSP engine
tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 860068
Changes:
tomcat8 (8.5.11-2) unstable; urgency=medium
.
* Team upload.
* Fix the following security vulnerabilities (Closes: #860068):
Thanks to Salvatore Bonaccorso for the report.
- CVE-2017-5647:
A bug in the handling of the pipelined requests when send file was used
resulted in the pipelined request being lost when send file processing of
the previous request completed. This could result in responses appearing
to be sent for the wrong request. For example, a user agent that sent
requests A, B and C could see the correct response for request A, the
response for request C for request B and no response for request C.
- CVE-2017-5648:
It was noticed that some calls to application listeners did not use the
appropriate facade object. When running an untrusted application under a
SecurityManager, it was therefore possible for that untrusted application
to retain a reference to the request or response object and thereby access
and/or modify information associated with another web application.
- CVE-2017-5650:
The handling of an HTTP/2 GOAWAY frame for a connection did not close
streams associated with that connection that were currently waiting for a
WINDOW_UPDATE before allowing the application to write more data. These
waiting streams each consumed a thread. A malicious client could therefore
construct a series of HTTP/2 requests that would consume all available
processing threads.
- CVE-2017-5651:
The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
regression in the send file processing. If the send file processing
completed quickly, it was possible for the Processor to be added to the
processor cache twice. This could result in the same Processor being used
for multiple requests which in turn could lead to unexpected errors and/or
response mix-up.
* debian/control: tomcat8: Fix Lintian error and depend on lsb-base.
Checksums-Sha1:
b07cfdae4c9833e73465ee434c1d4b706859cb39 3088 tomcat8_8.5.11-2.dsc
019f6dbd06a6327f57567244a2248353f56d6d3e 45956 tomcat8_8.5.11-2.debian.tar.xz
5468a9cd8386358fb683764f3d3f8f678d0a4479 13448 tomcat8_8.5.11-2_amd64.buildinfo
Checksums-Sha256:
ace4b04910808599fd769221054afea53b75d2405fb0cafe9918e5c74d930efe 3088 tomcat8_8.5.11-2.dsc
22d22c58d4448d185c166b5e6585d5955be6d41a4a27d4ec6f52f2b0f5279407 45956 tomcat8_8.5.11-2.debian.tar.xz
b4f70d38dfb6687d340ab32f0c3690960ac1e0892dde3e7fd486c5647eaf236a 13448 tomcat8_8.5.11-2_amd64.buildinfo
Files:
0f2c32cce9287214efbbfcbc02358238 3088 java optional tomcat8_8.5.11-2.dsc
09c42f3d51d3788d63a42cdaf11d2d76 45956 java optional tomcat8_8.5.11-2.debian.tar.xz
e6048a67c2b73df2ff51f8da513029aa 13448 java optional tomcat8_8.5.11-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKiBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljuGNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkFpwP8wRf3aHpIkAAYXJi/55HdfjV6fp576UaCsdl
yQP6rHgyPjmZ3W7x5RaApiAVp2TfYIbeV7hG9CDc+PswTCkDViNkf8YBE3fkxAqD
BbmLtGJi38kV1rq2hajuR6s5sdRvOphuX5EdaKp8/iMjutTMd9E0VWRIzDYb4nyf
U9a4MTbtUxauJg1ILF+MuEEFHJ0sGyGWLHMKNs219jva/B7ILG+7d/oCST7Dlvny
e/fNTW3N2CRUfIafrJFNNX4OFUlapHBqruWn4/SNW7mrx/S0tOv0i3OlVVkLO6F9
V/AiDptQe0jeg/QuNRNv5EykP/kxo2VKoh+/jNchcH0UadG9tG2Beu4BqlcXbs5M
Tz/lPCk2Ee27yl3BmWJRVQcOxBMjIfG0yCepiTZS/saz9xyD2g6qSC8cgd5XT7F6
4DuKRj2q+RiriJ9HZonhl/qELh6XogC8IxUTi23+f9fN68yGJ83kvCi/+2T0rhqZ
BQ/8QQXNvaWW3LW3W0MaQZnYLdUSf0TUZJCcZGlAm6cdFWizw2DDQfVGzcXlLNMH
ralqKEiG/t3vFZftW2YysyyQraVNPz4LgRPHuRTnQ7wr64gachKNnXxOOIPDKbS+
919NOIZ+KgXO4rrwI0eNQ4rH8CunRuOXaNocNJOoaarFSTW2ARPdFJoWEcqkxHL7
5OLXAF8=
=hsJ8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 16 Jul 2017 07:48:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:02:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.