[SECURITY] [DSA 3891-1] tomcat8 security update

2017-06-2208:05:13

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

Debian Security Advisory DSA-3891-1 [email protected]
https://www.debian.org/security/ Sebastien Delafond
June 22, 2017 https://www.debian.org/security/faq

Package : tomcat8
CVE ID : CVE-2017-5664
Debian Bug : 864447 802312

Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and
JSP engine, static error pages used the original request's HTTP method
to serve content, instead of systematically using the GET method. This
could under certain conditions result in undesirable results,
including the replacement or removal of the custom error page.

For the oldstable distribution (jessie), this problem has been fixed
in version 8.0.14-1+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 8.5.14-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 8.5.14-2.

For the unstable distribution (sid), this problem has been fixed in
version 8.5.14-2.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8alltomcat8-common< 8.0.14-1+deb8u10tomcat8-common_8.0.14-1+deb8u10_all.deb
Debian7alltomcat7-admin< 7.0.28-4+deb7u14tomcat7-admin_7.0.28-4+deb7u14_all.deb
Debian9alllibtomcat8-java< 8.5.14-1+deb9u1libtomcat8-java_8.5.14-1+deb9u1_all.deb
Debian7alltomcat7-examples< 7.0.28-4+deb7u14tomcat7-examples_7.0.28-4+deb7u14_all.deb
Debian9alllibtomcat8-embed-java< 8.5.14-1+deb9u1libtomcat8-embed-java_8.5.14-1+deb9u1_all.deb
Debian9alllibservlet3.1-java< 8.5.14-1+deb9u1libservlet3.1-java_8.5.14-1+deb9u1_all.deb
Debian9alllibservlet3.1-java-doc< 8.5.14-1+deb9u1libservlet3.1-java-doc_8.5.14-1+deb9u1_all.deb
Debian8alltomcat8-user< 8.0.14-1+deb8u10tomcat8-user_8.0.14-1+deb8u10_all.deb
Debian8alllibservlet3.0-java-doc< 7.0.56-3+deb8u11libservlet3.0-java-doc_7.0.56-3+deb8u11_all.deb
Debian8alltomcat7-docs< 7.0.56-3+deb8u11tomcat7-docs_7.0.56-3+deb8u11_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	tomcat8-common	< 8.0.14-1+deb8u10	tomcat8-common_8.0.14-1+deb8u10_all.deb
Debian	7	all	tomcat7-admin	< 7.0.28-4+deb7u14	tomcat7-admin_7.0.28-4+deb7u14_all.deb
Debian	9	all	libtomcat8-java	< 8.5.14-1+deb9u1	libtomcat8-java_8.5.14-1+deb9u1_all.deb
Debian	7	all	tomcat7-examples	< 7.0.28-4+deb7u14	tomcat7-examples_7.0.28-4+deb7u14_all.deb
Debian	9	all	libtomcat8-embed-java	< 8.5.14-1+deb9u1	libtomcat8-embed-java_8.5.14-1+deb9u1_all.deb
Debian	9	all	libservlet3.1-java	< 8.5.14-1+deb9u1	libservlet3.1-java_8.5.14-1+deb9u1_all.deb
Debian	9	all	libservlet3.1-java-doc	< 8.5.14-1+deb9u1	libservlet3.1-java-doc_8.5.14-1+deb9u1_all.deb
Debian	8	all	tomcat8-user	< 8.0.14-1+deb8u10	tomcat8-user_8.0.14-1+deb8u10_all.deb
Debian	8	all	libservlet3.0-java-doc	< 7.0.56-3+deb8u11	libservlet3.0-java-doc_7.0.56-3+deb8u11_all.deb
Debian	8	all	tomcat7-docs	< 7.0.56-3+deb8u11	tomcat7-docs_7.0.56-3+deb8u11_all.deb