Your message dated Sat, 24 Jun 2017 14:51:40 +0000
with message-id <e1dompu-000h2u...@fasolo.debian.org>
and subject line Bug#864447: fixed in tomcat8 8.5.14-1+deb9u1
has caused the Debian Bug report #864447,
regarding tomcat8: CVE-2017-5664: Security constrained bypass in error page 
mechanism
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864447: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864447
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tomcat8
Version: 8.5.14-1
Severity: important
Tags: security patch upstream
Control: found -1 8.0.14-1

Hi,

the following vulnerability was published for tomcat8.

CVE-2017-5664[0]:
| The error page mechanism of the Java Servlet Specification requires
| that, when an error occurs and an error page is configured for the
| error that occurred, the original request and response are forwarded
| to the error page. This means that the request is presented to the
| error page with the original HTTP method. If the error page is a
| static file, expected behaviour is to serve content of the file as if
| processing a GET request, regardless of the actual HTTP method. The
| Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to
| 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this.
| Depending on the original request this could lead to unexpected and
| undesirable results for static error pages including, if the
| DefaultServlet is configured to permit writes, the replacement or
| removal of the custom error page. Notes for other user provided error
| pages: (1) Unless explicitly coded otherwise, JSPs ignore the the HTTP
| method. JSPs used as error pages must must ensure that they handle any
| error dispatch as a GET request, regardless of the actual method. (2)
| By default, the response generated by a Servlet does depend on the
| HTTP method. Custom Servlets used as error pages must ensure that they
| handle any error dispatch as a GET request, regardless of the actual
| method.

The security-tracker page[0] contains as well commits for the 7.0.x,
8.0.x, 8.5.x branches.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5664
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

Regards,
salvatore

--- End Message ---
--- Begin Message ---
Source: tomcat8
Source-Version: 8.5.14-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 Jun 2017 13:36:46 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java 
libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin 
tomcat8-examples tomcat8-docs
Architecture: source
Version: 8.5.14-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API 
classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java 
API documenta
 libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed 
libraries
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web 
application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web 
applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 864447
Changes:
 tomcat8 (8.5.14-1+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fixed CVE-2017-5664: Static error pages can be overwritten if the
     DefaultServlet is configured to permit writes (Closes: #864447)
Checksums-Sha1:
 def6568d9a61bed5724dc241899baee534a5e795 2990 tomcat8_8.5.14-1+deb9u1.dsc
 07d6fb8aafbfb114fa879976b6edd00fa2445abf 3325436 tomcat8_8.5.14.orig.tar.xz
 a1e39e169b7e5c25512b8d1eb22d0a685f19670c 42252 
tomcat8_8.5.14-1+deb9u1.debian.tar.xz
 e53d78d0e80ca089dd6b7c96a3759f7e9ec72237 10183 
tomcat8_8.5.14-1+deb9u1_source.buildinfo
Checksums-Sha256:
 b844e82d31c9276d1efd0be5c0082bbbb0f1ebd89e6778cff9f9e95f653ad86a 2990 
tomcat8_8.5.14-1+deb9u1.dsc
 55793397099260a4f85e6ec810ac487faa4c4d03c24023dca99137d19e8808db 3325436 
tomcat8_8.5.14.orig.tar.xz
 d9ac4fee10307a3c540a7a2bcb83bc1f2fe9b8fd250e6f03d1476ee5c4c7dc63 42252 
tomcat8_8.5.14-1+deb9u1.debian.tar.xz
 033f94239cf6d08c0087caa1f84325d2f0bf3e81c3dc5a116eaacd071befe8b0 10183 
tomcat8_8.5.14-1+deb9u1_source.buildinfo
Files:
 bbdbf0ec3ec8e2be35f840793bf3a55e 2990 java optional tomcat8_8.5.14-1+deb9u1.dsc
 cf8bd5c141d38fe2843286a07b153449 3325436 java optional 
tomcat8_8.5.14.orig.tar.xz
 5215b46942b69ce5b40d8b4b428dd5cf 42252 java optional 
tomcat8_8.5.14-1+deb9u1.debian.tar.xz
 78e06261c0188c87eb72b29a72c1e5c1 10183 java optional 
tomcat8_8.5.14-1+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAllKln4SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsv08P/Rzg9/CRZQmWjen4WoJtEVmpLnXxC1ZT
h+eHGUDwgMfty7MCstf8niv2Uax6dGEHjDmN41iExLtXHCK6vNfvTgYW4KxCtq/6
y3oGvMax89k8kESwPpRMugdAyciPLZhNITx8IVl5P0UB+h73U/nu8DxbwjN1umKY
8kPG2ud6QUyOAcADT6VhRMxb1pW4vyCHj4pPM1B6G1i4s1PmfrzBjsroIH6vdnji
o79Qwc4ssxdR9vgv1QlNCOmVqtSyLJltgcF3//2WyRywMG82c+jFQsWlXFdcw/SI
Seu87mmqh/qvVNXU1X6LGIWv7bPfUhNqFJAFLjvliBr+rUSqA2UgaswfTaF8aBd2
22PzRPAaZ3M1NPsnhIepD29wPq1rwOyLImPP6ua9rEQyvNXDXwG+eEkKY8AzDag7
gBsNvveb+ay7fneuiwbQ1hGuBbUPpzw1PljxMBoEoAuWO66oUuO6YT9xO8E/qGDW
G2+0kTDXYzAAMmZfxarCigDS2WH8Qiht1y7qifqrP5+bxv5245vCz9QJHe1i9rRD
lou7dBfyJYbImuFOoEUORcNJiKvvg71B6NLcVGyAlpp0rVy52RSVFI2nXGmenuQ8
YKI7VYMn2ZR+pRz73DMn1RrzlZ+ElTHlvVDUszMqdgzn6OeY65sYcqHiFVF7V8Bi
F+s2hDMGZd1s
=dEuj
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to