Your message dated Thu, 08 Jun 2017 21:08:08 +0000 with message-id <e1dj4f2-000a4g...@fasolo.debian.org> and subject line Bug#864447: fixed in tomcat8 8.5.14-2 has caused the Debian Bug report #864447, regarding tomcat8: CVE-2017-5664: Security constrained bypass in error page mechanism to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864447: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864447 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tomcat8 Version: 8.5.14-1 Severity: important Tags: security patch upstream Control: found -1 8.0.14-1 Hi, the following vulnerability was published for tomcat8. CVE-2017-5664[0]: | The error page mechanism of the Java Servlet Specification requires | that, when an error occurs and an error page is configured for the | error that occurred, the original request and response are forwarded | to the error page. This means that the request is presented to the | error page with the original HTTP method. If the error page is a | static file, expected behaviour is to serve content of the file as if | processing a GET request, regardless of the actual HTTP method. The | Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to | 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. | Depending on the original request this could lead to unexpected and | undesirable results for static error pages including, if the | DefaultServlet is configured to permit writes, the replacement or | removal of the custom error page. Notes for other user provided error | pages: (1) Unless explicitly coded otherwise, JSPs ignore the the HTTP | method. JSPs used as error pages must must ensure that they handle any | error dispatch as a GET request, regardless of the actual method. (2) | By default, the response generated by a Servlet does depend on the | HTTP method. Custom Servlets used as error pages must ensure that they | handle any error dispatch as a GET request, regardless of the actual | method. The security-tracker page[0] contains as well commits for the 7.0.x, 8.0.x, 8.5.x branches. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664 Regards, salvatore
--- End Message ---
--- Begin Message ---Source: tomcat8 Source-Version: 8.5.14-2 We believe that the bug you reported is fixed in the latest version of tomcat8, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 864...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat8 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Jun 2017 12:28:34 +0200 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source Version: 8.5.14-2 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Closes: 864447 Changes: tomcat8 (8.5.14-2) unstable; urgency=high . * Team upload. * Fixed CVE-2017-5664: Static error pages can be overwritten if the DefaultServlet is configured to permit writes (Closes: #864447) Checksums-Sha1: 1968435d98ecce70ed4c2f27cb18177eef02a4ec 2962 tomcat8_8.5.14-2.dsc 151efe32da20d4b910b296ed8aba30b5c77d447f 42264 tomcat8_8.5.14-2.debian.tar.xz 5c94e75adff3faf9875308fa96e35a07c07217f7 10062 tomcat8_8.5.14-2_source.buildinfo Checksums-Sha256: e921d697faf8511791fe19787b82cb4ac3a25f8cfc7acc997b1c85cef9df8d0e 2962 tomcat8_8.5.14-2.dsc f42ade0a997beadbedfab0e1de3eaf65d4bf841199e34e09a021090d728ce9dd 42264 tomcat8_8.5.14-2.debian.tar.xz bd8965c73e7f589a99e75a9b4b4cec15ef206d0b7f647f47f70fe54dd9f2677e 10062 tomcat8_8.5.14-2_source.buildinfo Files: 46a95ee030621d2ca5cf8379707cfe33 2962 java optional tomcat8_8.5.14-2.dsc 33077ac634f43d4610bb029d00570852 42264 java optional tomcat8_8.5.14-2.debian.tar.xz e13edbef2efddb3261a72e5104f255aa 10062 java optional tomcat8_8.5.14-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlk5thkSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCs+rMP/A+rjeZvZDHNnhkNEEBch82E+pRZDihd ZvwD6RBIEFiYKbvDUb6N+odzCo3DNWGPmRWyHpXiqdT+CadZw1raFoPxwsgq63H3 D4gwp4dxit/BAHAr0MO0mMqKhsJjg86dsdjFub4TLKaFNOML89RyP2xb5Zwbm+d5 HZXU9EeiLrjyVM57OfZd3FTTVwJHJTiNbr0dgZg0vR5oSq8iTjLJMzIW1Qet3c6H aGEp8VT11jBeJ+4366LkzDENYbZwvH+jm8Zxkm90Rr9tqZqoj3OnZeCSHo/GMSn5 390J3rNn0vuJztcowVfBhlXc5+R90gJtCwMnEbrM+ULDM4gTRZBDZ/TO18ml6gSq Q/OYjssGsajJB0j9R3lJ6HBwkGBZ43B0IkTTYzwDCiPc3tAWydTcVA/6DMFLHcBG 211YgTRqm4WD3yB0rxyYQsdjava9Vus/rvo1PIHbgQpYE6B4krp1BAKLvnAi5Mdn eEyht54hSosTZ2UpG75uU5rv1AhpcHLnLiDPlNmwxVhf4HuwC6CLasqDstAn20+4 HMHDjlXCMoQ5JaZKDuHBRe+SK8Ia/S+/vMHL5pJ0OP3jWxmWIWKVfNySu+ZatZGA lar1Sn/voMOB3Z9G/NcMpa2JXgVg/vz8nXDc9ix5zDW2kdauaBUHxyqWvjyQVpop g8c2/2yJigvc =rlUN -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
