Debian Bug report logs -
#929895
tomcat9: CVE-2019-0221
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 2 Jun 2019 19:24:01 UTC
Severity: normal
Tags: security, upstream
Found in version tomcat9/9.0.16-3
Fixed in version tomcat9/9.0.16-4
Done: Emmanuel Bourg <ebourg@apache.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#929895; Package src:tomcat9.
(Sun, 02 Jun 2019 19:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 02 Jun 2019 19:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tomcat9
Version: 9.0.16-3
Severity: normal
Tags: security upstream
Hi,
The following vulnerability was published for tomcat9.
CVE-2019-0221[0]:
| The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0
| to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without
| escaping and is, therefore, vulnerable to XSS. SSI is disabled by
| default. The printenv command is intended for debugging and is
| unlikely to be present in a production website.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-0221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#929895.
(Thu, 13 Jun 2019 21:51:10 GMT) (full text, mbox, link).
Message #8 received at 929895-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #929895 in tomcat9 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/tomcat9/commit/ca79dadc717b87cf9539923f03055cce3485ffa6
------------------------------------------------------------------------
Fixed CVE-2019-0221: XSS in SSI printenv (Closes: #929895)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/929895
Added tag(s) pending.
Request was from Emmanuel Bourg <noreply@salsa.debian.org>
to 929895-submitter@bugs.debian.org.
(Thu, 13 Jun 2019 21:51:10 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#929895.
(Thu, 13 Jun 2019 21:51:17 GMT) (full text, mbox, link).
Message #13 received at 929895-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #929895 in tomcat9 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/tomcat9/commit/ca79dadc717b87cf9539923f03055cce3485ffa6
------------------------------------------------------------------------
Fixed CVE-2019-0221: XSS in SSI printenv (Closes: #929895)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/929895
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Thu, 13 Jun 2019 22:06:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 13 Jun 2019 22:06:09 GMT) (full text, mbox, link).
Message #18 received at 929895-close@bugs.debian.org (full text, mbox, reply):
Source: tomcat9
Source-Version: 9.0.16-4
We believe that the bug you reported is fixed in the latest version of
tomcat9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated tomcat9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Jun 2019 23:26:12 +0200
Source: tomcat9
Architecture: source
Version: 9.0.16-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Closes: 925928 925929 926319 929895
Changes:
tomcat9 (9.0.16-4) unstable; urgency=medium
.
* Team upload.
.
[ Emmanuel Bourg ]
* Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
without escaping and is, therefore, vulnerable to XSS. SSI is disabled
by default (Closes: #929895)
.
[ Thorsten Glaser ]
* Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
a suitable GC automatically anyway (Closes: #925928)
* Correct the ownership and permissions on the log directory:
group adm and setgid (Closes: #925929)
* Make the startup script honour the (renamed) $SECURITY_MANAGER
* debian/libexec/tomcat-locate-java.sh: Remove shebang and make
not executable as this is only ever sourced (makes no sense otherwise)
.
[ Christian Hänsel ]
* Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
Checksums-Sha1:
7894d90f36844414a224181e83312bd7c15b7e3b 2731 tomcat9_9.0.16-4.dsc
2a6c85287daf3b2f7a1594050ca7b75595cb6eb1 33208 tomcat9_9.0.16-4.debian.tar.xz
b77d468a565e2385449d63bf1bf127381d45d357 13520 tomcat9_9.0.16-4_source.buildinfo
Checksums-Sha256:
9de699b8370663a7978b0cd3308f7d513d26cf75f97a22ff6f77fa0fc0f4108b 2731 tomcat9_9.0.16-4.dsc
9aca7424210d8d81bce6542f4177d6fc6824a90d698083fe586268e0869b797d 33208 tomcat9_9.0.16-4.debian.tar.xz
53d9af41679beedec6fc1759c88f1a08d00d5d5e4b8e545d5cf3cf2a69fa1548 13520 tomcat9_9.0.16-4_source.buildinfo
Files:
7e72313577037a6ef165759567a12f92 2731 java optional tomcat9_9.0.16-4.dsc
449c291a39acb3cd67c2d7c9ab3dcfe0 33208 java optional tomcat9_9.0.16-4.debian.tar.xz
69fc94d44058a03afc694b3effd166e9 13520 java optional tomcat9_9.0.16-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl0CxdoSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCs78EP/iXFnZ7yr2MWKoqPTalafgw50uHapHE2
wXnCNGNOd32sMMSe4HFACxeanez8T8LkN410/QA7V8oRBpzfwABrvi6qTvpCRjgJ
O6V0iAqfVtqszXem8j066kviDox9RJfUXdxhTPF3h8WvhEy+f5uVSrtjM8/3z4h0
tITb7Kq9LqJ7yil4wvbQbVQF24hsNMf80zsbMxd5IOirb8Zhfk2RBa9RgykBTuC5
LFEFts1cmI0Y3SRw8hOYUMvJ364PsuWz5ngiNsNmFLWPEKDgks0h5UE4rQ2IQS3M
YfJuo4VIGrtpl8MvP5Gl1mReB+4+ypgqN9B4ePSKdu3/5tOPrvF7I1p5vOek+fy9
qQK73exMjKgp7wKhhV1IXBA9mVpW+3gjYZdpL6rMF6otQdS9J1wYpMd3kJb9TZ9j
WoZAccj6LX323O95YoiSgoZg5Pg3EiU+JLS95E8A8V3o7cdYPI4f07S18Sf5t/zs
x7HeM+VV7Zdn6mzUeBCw5H/imHaSr3FtTXH3/qdQG4cY1mtqucrBiio36XmUmC8C
ZqrsMoxm7qqGDK2MyRjs5RdQGfmKUyvjbqMK9HKP8SvwENfIsmJyrEEaNq/By0CR
918r7LJWbF53GlyWhP8fSleoC9MG6TEqc4+7h8UZFg0PZ5eE43iXfO65jP31A1mm
PjOVqcAw0Evh
=5biw
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:20:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon