Your message dated Sat, 24 Jun 2017 06:24:55 +0200
with message-id <[email protected]>
and subject line Re: Bug#864630: unblock: tomcat8/8.5.14-2
has caused the Debian Bug report #864630,
regarding stretch-pu: package tomcat8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
864630: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864630
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package tomcat8, the version 8.5.14-2 contains a fix
for CVE-2017-5664 (#864447).
Thank you,
Emmanuel Bourg
diff --git a/debian/changelog b/debian/changelog
index 363623db..9045d407 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat8 (8.5.14-2) unstable; urgency=high
+
+ * Team upload.
+ * Fixed CVE-2017-5664: Static error pages can be overwritten if the
+ DefaultServlet is configured to permit writes (Closes: #864447)
+
+ -- Emmanuel Bourg <[email protected]> Thu, 08 Jun 2017 12:28:34 +0200
+
tomcat8 (8.5.14-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/CVE-2017-5664.patch
b/debian/patches/CVE-2017-5664.patch
new file mode 100644
index 00000000..44476c9b
--- /dev/null
+++ b/debian/patches/CVE-2017-5664.patch
@@ -0,0 +1,56 @@
+Description: CVE-2017-5664: Static error pages can be overwritten
+ if the DefaultServlet is configured to permit writes.
+Origin: backport, https://svn.apache.org/r1793469
+ https://svn.apache.org/r1793488
+--- a/java/org/apache/catalina/servlets/DefaultServlet.java
++++ b/java/org/apache/catalina/servlets/DefaultServlet.java
+@@ -407,6 +407,18 @@
+ }
+
+
++ @Override
++ protected void service(HttpServletRequest req, HttpServletResponse resp)
++ throws ServletException, IOException {
++
++ if (req.getDispatcherType() == DispatcherType.ERROR) {
++ doGet(req, resp);
++ } else {
++ super.service(req, resp);
++ }
++ }
++
++
+ /**
+ * Process a GET request for the specified resource.
+ *
+@@ -794,7 +806,7 @@
+ return;
+ }
+
+- boolean isError = response.getStatus() >=
HttpServletResponse.SC_BAD_REQUEST;
++ boolean isError = DispatcherType.ERROR == request.getDispatcherType();
+
+ boolean included = false;
+ // Check if the conditions specified in the optional If headers are
+--- a/java/org/apache/catalina/servlets/WebdavServlet.java
++++ b/java/org/apache/catalina/servlets/WebdavServlet.java
+@@ -30,6 +30,7 @@
+ import java.util.TimeZone;
+ import java.util.Vector;
+
++import javax.servlet.DispatcherType;
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+@@ -315,6 +316,11 @@
+ return;
+ }
+
++ if (req.getDispatcherType() == DispatcherType.ERROR) {
++ doGet(req, resp);
++ return;
++ }
++
+ final String method = req.getMethod();
+
+ if (debug > 0) {
diff --git a/debian/patches/series b/debian/patches/series
index 1b369897..fe0ccaef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
0018-fix-manager-webapp.patch
0019-add-distribution-to-error-page.patch
0021-dont-test-unsupported-ciphers.patch
+CVE-2017-5664.patch
--- End Message ---
--- Begin Message ---
Control: tags -1 - moreinfo
Hi
On Sat, Jun 17, 2017 at 05:55:51PM +0100, Adam D. Barratt wrote:
> retitle 864630 stretch-pu: package tomcat8
> user [email protected]
> usertags 864630 = pu
> tags 864630 + stretch moreinfo
> thanks
>
> On Sun, 2017-06-11 at 22:59 +0200, Emmanuel Bourg wrote:
> > Please unblock package tomcat8, the version 8.5.14-2 contains a fix
> > for CVE-2017-5664 (#864447).
>
> Unfortunately this didn't get picked up before the release.
>
> Turning it into a proto-pu request for now, and CCing the Security Team
> to see how they'd like to handle the update in stretch.
This has been released with DSA 3891-1.
Regards,
Salvatore
--- End Message ---
