[SECURITY] [DLA 924-1] tomcat7 security update

2017-04-2821:59:13

lists.debian.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

71.7%

JSON

Package : tomcat7
Version : 7.0.28-4+deb7u12
CVE ID : CVE-2017-5647 CVE-2017-5648
Debian Bug : 860068

Two security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2017-5647
A bug in the handling of the pipelined requests when send file was
used resulted in the pipelined request being lost when send file
processing of the previous request completed. This could result in
responses appearing to be sent for the wrong request.

CVE-2017-5648
It was noticed that some calls to application listeners did not use
the appropriate facade object. When running an untrusted application
under a SecurityManager, it was therefore possible for that
untrusted application to retain a reference to the request or
response object and thereby access and/or modify information
associated with another web application.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u12.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8alltomcat8-common< 8.0.14-1+deb8u9tomcat8-common_8.0.14-1+deb8u9_all.deb
Debian8alllibservlet3.1-java-doc< 8.0.14-1+deb8u9libservlet3.1-java-doc_8.0.14-1+deb8u9_all.deb
Debian8alltomcat7-examples< 7.0.56-3+deb8u10tomcat7-examples_7.0.56-3+deb8u10_all.deb
Debian7alltomcat7-admin< 7.0.28-4+deb7u12tomcat7-admin_7.0.28-4+deb7u12_all.deb
Debian7alllibservlet3.0-java-doc< 7.0.28-4+deb7u12libservlet3.0-java-doc_7.0.28-4+deb7u12_all.deb
Debian7alltomcat7-common< 7.0.28-4+deb7u12tomcat7-common_7.0.28-4+deb7u12_all.deb
Debian8alllibservlet3.0-java< 7.0.56-3+deb8u10libservlet3.0-java_7.0.56-3+deb8u10_all.deb
Debian7alllibtomcat7-java< 7.0.28-4+deb7u12libtomcat7-java_7.0.28-4+deb7u12_all.deb
Debian8alllibtomcat8-java< 8.0.14-1+deb8u9libtomcat8-java_8.0.14-1+deb8u9_all.deb
Debian8alltomcat7< 7.0.56-3+deb8u10tomcat7_7.0.56-3+deb8u10_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	tomcat8-common	< 8.0.14-1+deb8u9	tomcat8-common_8.0.14-1+deb8u9_all.deb
Debian	8	all	libservlet3.1-java-doc	< 8.0.14-1+deb8u9	libservlet3.1-java-doc_8.0.14-1+deb8u9_all.deb
Debian	8	all	tomcat7-examples	< 7.0.56-3+deb8u10	tomcat7-examples_7.0.56-3+deb8u10_all.deb
Debian	7	all	tomcat7-admin	< 7.0.28-4+deb7u12	tomcat7-admin_7.0.28-4+deb7u12_all.deb
Debian	7	all	libservlet3.0-java-doc	< 7.0.28-4+deb7u12	libservlet3.0-java-doc_7.0.28-4+deb7u12_all.deb
Debian	7	all	tomcat7-common	< 7.0.28-4+deb7u12	tomcat7-common_7.0.28-4+deb7u12_all.deb
Debian	8	all	libservlet3.0-java	< 7.0.56-3+deb8u10	libservlet3.0-java_7.0.56-3+deb8u10_all.deb
Debian	7	all	libtomcat7-java	< 7.0.28-4+deb7u12	libtomcat7-java_7.0.28-4+deb7u12_all.deb
Debian	8	all	libtomcat8-java	< 8.0.14-1+deb8u9	libtomcat8-java_8.0.14-1+deb8u9_all.deb
Debian	8	all	tomcat7	< 7.0.56-3+deb8u10	tomcat7_7.0.56-3+deb8u10_all.deb