tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651

Debian Bug report logs - #860068
tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tomcat8: CVE-2017-5647

Date: Tue, 11 Apr 2017 06:43:11 +0200

Source: tomcat8
Version: 8.0.14-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for tomcat8.

CVE-2017-5647[0]
|A bug in the handling of the pipelined requests when send file was
|used resulted in the pipelined request being lost when send file
|processing of the previous request completed. This could result in
|responses appearing to be sent for the wrong request. For example, a
|user agent that sent requests A, B and C could see the correct
|response for request A, the response for request C for request B and
|no response for request C.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5647
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647

Regards,
Salvatore

Message #10 received at 860068@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 860068@bugs.debian.org

Subject: Re: Bug#860068: tomcat8: CVE-2017-5647

Date: Tue, 11 Apr 2017 16:16:01 +0200

[Message part 1 (text/plain, inline)]

Control: merge 860068 860069 860070 860071
Control: owner 860068 !

I will take care of these CVEs. To reduce the noise on the list I'm
going to merge all four reports into one.

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #21 received at 860068@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: pkg-java-maintainers@lists.alioth.debian.org, 860068@bugs.debian.org

Subject: Re: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Date: Tue, 11 Apr 2017 17:18:12 +0200

Hi Markus,

On Tue, Apr 11, 2017 at 02:18:14PM +0000, Debian Bug Tracking System wrote:
> Processing control commands:
> 
> > merge 860068 860069 860070 860071
> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
> Marked as found in versions tomcat8/8.5.11-1.
> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> Marked as found in versions tomcat8/8.5.11-1.
> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
> Marked as found in versions tomcat8/8.0.14-1.
> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
> Marked as found in versions tomcat8/8.0.14-1.
> Merged 860068 860069 860070 860071

Why the merge? I was a exlicit choice to open 4 bugs due to the
different CVE's and different affected versions (note that two affect
8.0.14-1 and two only 8.5.11-1 but not the version in jessie).

Regards,
Salvatore

Message #26 received at 860068@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 860068@bugs.debian.org

Subject: Re: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Date: Tue, 11 Apr 2017 17:24:25 +0200

[Message part 1 (text/plain, inline)]

Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Tue, Apr 11, 2017 at 02:18:14PM +0000, Debian Bug Tracking System wrote:
>> Processing control commands:
>>
>>> merge 860068 860069 860070 860071
>> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
>> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
>> Marked as found in versions tomcat8/8.5.11-1.
>> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
>> Marked as found in versions tomcat8/8.5.11-1.
>> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
>> Marked as found in versions tomcat8/8.0.14-1.
>> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
>> Marked as found in versions tomcat8/8.0.14-1.
>> Merged 860068 860069 860070 860071
> 
> Why the merge? I was a exlicit choice to open 4 bugs due to the
> different CVE's and different affected versions (note that two affect
> 8.0.14-1 and two only 8.5.11-1 but not the version in jessie).

Hi,

please combine CVEs for (Java) packages because single bug reports just
create more noise on the list and in the end we make one upload to
address all of them together. I suggest to use the found/fixed tags as
needed.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #31 received at 860068@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: 860068@bugs.debian.org

Subject: Re: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Date: Tue, 11 Apr 2017 17:44:48 +0200

Hi,

On Tue, Apr 11, 2017 at 05:24:25PM +0200, Markus Koschany wrote:
> Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso:
> > Hi Markus,
> > 
> > On Tue, Apr 11, 2017 at 02:18:14PM +0000, Debian Bug Tracking System wrote:
> >> Processing control commands:
> >>
> >>> merge 860068 860069 860070 860071
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Merged 860068 860069 860070 860071
> > 
> > Why the merge? I was a exlicit choice to open 4 bugs due to the
> > different CVE's and different affected versions (note that two affect
> > 8.0.14-1 and two only 8.5.11-1 but not the version in jessie).
> 
> Hi,
> 
[...]
> I suggest to use the found/fixed tags as
> needed.

NB: Which is exactly what I did (see the different found versions), to
track correctly the version as well in BTS. But now it would treat
e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.

Anyway, thanks a lot for taking care of those CVEs and fixing them!

Regards,
Salvatore

Message #36 received at 860068@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 860068@bugs.debian.org

Subject: Re: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Date: Tue, 11 Apr 2017 18:32:37 +0200

[Message part 1 (text/plain, inline)]

Am 11.04.2017 um 17:44 schrieb Salvatore Bonaccorso:
[...]
>> I suggest to use the found/fixed tags as
>> needed.
> 
> NB: Which is exactly what I did (see the different found versions), to
> track correctly the version as well in BTS. But now it would treat
> e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.
> 
> Anyway, thanks a lot for taking care of those CVEs and fixing them!
> 
> Regards,
> Salvatore

I appreciate that you already did an assessment which version is
affected or not. However I find it simpler to report all newly found
vulnerabilities with one bug report and then let the maintainer evaluate
the situation and act on the bug report as needed. Moritz does this a
lot when he reports CVEs. Your approach makes totally sense too but
since we have the security tracker with all those information, you have
already marked two CVEs as fixed in Jessie, it's not necessarily
imperative.

By the way we also have many CVEs with no Debian bug report and users
just have to rely on the security tracker for further information. In
fact we want them to use it and the bug reports are more a heads-up for
maintainers.

Of course this is just my stubborn opinion, it's not easy to please
everybody. Others will surely want that you report all those dozens of
CVEs for package X separately...

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #41 received at 860068@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 860068@bugs.debian.org

Subject: tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651

Date: Wed, 12 Apr 2017 11:53:43 +0200

[Message part 1 (text/plain, inline)]

Control: retitle -1 tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651
Control: severity -1 serious

Let's get those security fixes into Stretch.

[signature.asc (application/pgp-signature, attachment)]

Message #48 received at 860068@bugs.debian.org (full text, mbox, reply):

From: pkg-java-maintainers@lists.alioth.debian.org

To: 860068@bugs.debian.org, 860068-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the tomcat8 package

Date: Wed, 12 Apr 2017 12:10:41 +0000

tag 860068 + pending
thanks

Some bugs in the tomcat8 package are closed in revision
38af11ab73a485325ddb5c969586e59f6bb367f4 in branch 'master' by Markus
Koschany

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=38af11a

Commit message:

    Fix CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651
    
    Thanks: Salvatore Bonaccorso for the report.
    Closes: #860068
    
    Add CVE patches to series file.

Message #58 received at 860068-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 860068-close@bugs.debian.org

Subject: Bug#860068: fixed in tomcat8 8.5.11-2

Date: Wed, 12 Apr 2017 12:19:12 +0000

Source: tomcat8
Source-Version: 8.5.11-2

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860068@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 12 Apr 2017 09:58:46 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source
Version: 8.5.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 860068
Changes:
 tomcat8 (8.5.11-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix the following security vulnerabilities (Closes: #860068):
     Thanks to Salvatore Bonaccorso for the report.
    - CVE-2017-5647:
      A bug in the handling of the pipelined requests when send file was used
      resulted in the pipelined request being lost when send file processing of
      the previous request completed. This could result in responses appearing
      to be sent for the wrong request. For example, a user agent that sent
      requests A, B and C could see the correct response for request A, the
      response for request C for request B and no response for request C.
    - CVE-2017-5648:
      It was noticed that some calls to application listeners did not use the
      appropriate facade object. When running an untrusted application under a
      SecurityManager, it was therefore possible for that untrusted application
      to retain a reference to the request or response object and thereby access
      and/or modify information associated with another web application.
    - CVE-2017-5650:
      The handling of an HTTP/2 GOAWAY frame for a connection did not close
      streams associated with that connection that were currently waiting for a
      WINDOW_UPDATE before allowing the application to write more data. These
      waiting streams each consumed a thread. A malicious client could therefore
      construct a series of HTTP/2 requests that would consume all available
      processing threads.
    - CVE-2017-5651:
      The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
      regression in the send file processing. If the send file processing
      completed quickly, it was possible for the Processor to be added to the
      processor cache twice. This could result in the same Processor being used
      for multiple requests which in turn could lead to unexpected errors and/or
      response mix-up.
   *  debian/control: tomcat8: Fix Lintian error and depend on lsb-base.
Checksums-Sha1:
 b07cfdae4c9833e73465ee434c1d4b706859cb39 3088 tomcat8_8.5.11-2.dsc
 019f6dbd06a6327f57567244a2248353f56d6d3e 45956 tomcat8_8.5.11-2.debian.tar.xz
 5468a9cd8386358fb683764f3d3f8f678d0a4479 13448 tomcat8_8.5.11-2_amd64.buildinfo
Checksums-Sha256:
 ace4b04910808599fd769221054afea53b75d2405fb0cafe9918e5c74d930efe 3088 tomcat8_8.5.11-2.dsc
 22d22c58d4448d185c166b5e6585d5955be6d41a4a27d4ec6f52f2b0f5279407 45956 tomcat8_8.5.11-2.debian.tar.xz
 b4f70d38dfb6687d340ab32f0c3690960ac1e0892dde3e7fd486c5647eaf236a 13448 tomcat8_8.5.11-2_amd64.buildinfo
Files:
 0f2c32cce9287214efbbfcbc02358238 3088 java optional tomcat8_8.5.11-2.dsc
 09c42f3d51d3788d63a42cdaf11d2d76 45956 java optional tomcat8_8.5.11-2.debian.tar.xz
 e6048a67c2b73df2ff51f8da513029aa 13448 java optional tomcat8_8.5.11-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKiBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljuGNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkFpwP8wRf3aHpIkAAYXJi/55HdfjV6fp576UaCsdl
yQP6rHgyPjmZ3W7x5RaApiAVp2TfYIbeV7hG9CDc+PswTCkDViNkf8YBE3fkxAqD
BbmLtGJi38kV1rq2hajuR6s5sdRvOphuX5EdaKp8/iMjutTMd9E0VWRIzDYb4nyf
U9a4MTbtUxauJg1ILF+MuEEFHJ0sGyGWLHMKNs219jva/B7ILG+7d/oCST7Dlvny
e/fNTW3N2CRUfIafrJFNNX4OFUlapHBqruWn4/SNW7mrx/S0tOv0i3OlVVkLO6F9
V/AiDptQe0jeg/QuNRNv5EykP/kxo2VKoh+/jNchcH0UadG9tG2Beu4BqlcXbs5M
Tz/lPCk2Ee27yl3BmWJRVQcOxBMjIfG0yCepiTZS/saz9xyD2g6qSC8cgd5XT7F6
4DuKRj2q+RiriJ9HZonhl/qELh6XogC8IxUTi23+f9fN68yGJ83kvCi/+2T0rhqZ
BQ/8QQXNvaWW3LW3W0MaQZnYLdUSf0TUZJCcZGlAm6cdFWizw2DDQfVGzcXlLNMH
ralqKEiG/t3vFZftW2YysyyQraVNPz4LgRPHuRTnQ7wr64gachKNnXxOOIPDKbS+
919NOIZ+KgXO4rrwI0eNQ4rH8CunRuOXaNocNJOoaarFSTW2ARPdFJoWEcqkxHL7
5OLXAF8=
=hsJ8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.