Source: tomcat8 Version: 8.5.14-1 Severity: important Tags: security patch upstream Control: found -1 8.0.14-1
Hi, the following vulnerability was published for tomcat8. CVE-2017-5664[0]: | The error page mechanism of the Java Servlet Specification requires | that, when an error occurs and an error page is configured for the | error that occurred, the original request and response are forwarded | to the error page. This means that the request is presented to the | error page with the original HTTP method. If the error page is a | static file, expected behaviour is to serve content of the file as if | processing a GET request, regardless of the actual HTTP method. The | Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to | 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. | Depending on the original request this could lead to unexpected and | undesirable results for static error pages including, if the | DefaultServlet is configured to permit writes, the replacement or | removal of the custom error page. Notes for other user provided error | pages: (1) Unless explicitly coded otherwise, JSPs ignore the the HTTP | method. JSPs used as error pages must must ensure that they handle any | error dispatch as a GET request, regardless of the actual method. (2) | By default, the response generated by a Servlet does depend on the | HTTP method. Custom Servlets used as error pages must ensure that they | handle any error dispatch as a GET request, regardless of the actual | method. The security-tracker page[0] contains as well commits for the 7.0.x, 8.0.x, 8.5.x branches. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664 Regards, salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.