Your message dated Sat, 24 Jun 2017 21:19:18 +0000
with message-id <e1dossc-0000yf...@fasolo.debian.org>
and subject line Bug#864447: fixed in tomcat8 8.0.14-1+deb8u10
has caused the Debian Bug report #864447,
regarding tomcat8: CVE-2017-5664: Security constrained bypass in error page 
mechanism
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864447: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864447
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tomcat8
Version: 8.5.14-1
Severity: important
Tags: security patch upstream
Control: found -1 8.0.14-1

Hi,

the following vulnerability was published for tomcat8.

CVE-2017-5664[0]:
| The error page mechanism of the Java Servlet Specification requires
| that, when an error occurs and an error page is configured for the
| error that occurred, the original request and response are forwarded
| to the error page. This means that the request is presented to the
| error page with the original HTTP method. If the error page is a
| static file, expected behaviour is to serve content of the file as if
| processing a GET request, regardless of the actual HTTP method. The
| Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to
| 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this.
| Depending on the original request this could lead to unexpected and
| undesirable results for static error pages including, if the
| DefaultServlet is configured to permit writes, the replacement or
| removal of the custom error page. Notes for other user provided error
| pages: (1) Unless explicitly coded otherwise, JSPs ignore the the HTTP
| method. JSPs used as error pages must must ensure that they handle any
| error dispatch as a GET request, regardless of the actual method. (2)
| By default, the response generated by a Servlet does depend on the
| HTTP method. Custom Servlets used as error pages must ensure that they
| handle any error dispatch as a GET request, regardless of the actual
| method.

The security-tracker page[0] contains as well commits for the 7.0.x,
8.0.x, 8.5.x branches.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5664
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

Regards,
salvatore

--- End Message ---
--- Begin Message ---
Source: tomcat8
Source-Version: 8.0.14-1+deb8u10

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Jun 2017 20:26:44 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java 
libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u10
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API 
classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java 
API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web 
application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web 
applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 864447
Changes:
 tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5664.
     The error page mechanism of the Java Servlet Specification requires that,
     when an error occurs and an error page is configured for the error that
     occurred, the original request and response are forwarded to the error
     page. This means that the request is presented to the error page with the
     original HTTP method. If the error page is a static file, expected
     behaviour is to serve content of the file as if processing a GET request,
     regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
     did not do this. Depending on the original request this could lead to
     unexpected and undesirable results for static error pages including, if the
     DefaultServlet is configured to permit writes, the replacement or removal
     of the custom error page. (Closes: #864447)
Checksums-Sha1:
 6f99e5326b8cafe987e4cbee2341809e5052b2f6 3013 tomcat8_8.0.14-1+deb8u10.dsc
 e5b7ab130945d00d0bd92739e92dc3f036f145c4 77852 
tomcat8_8.0.14-1+deb8u10.debian.tar.xz
 c46e4265dab09229ca4df9422c25c6e0a34fb4c8 58388 
tomcat8-common_8.0.14-1+deb8u10_all.deb
 a83c5f514408b0ab1745d48f673179f0d96b51c2 48120 tomcat8_8.0.14-1+deb8u10_all.deb
 bb7d6eb8251b17024dcedd08b49ec92f058c0c71 35558 
tomcat8-user_8.0.14-1+deb8u10_all.deb
 44e8be7ae7b2c173c5f2722452e05f3a5f6627d2 4592508 
libtomcat8-java_8.0.14-1+deb8u10_all.deb
 53c333eb3282fed4a42f73663ff82f78cef46d81 392968 
libservlet3.1-java_8.0.14-1+deb8u10_all.deb
 68017d2f8ce71ab61523e21a7ed4eb9767faa7f7 247930 
libservlet3.1-java-doc_8.0.14-1+deb8u10_all.deb
 399dcc94d86245c15dc836161ff2b6215ef34933 36988 
tomcat8-admin_8.0.14-1+deb8u10_all.deb
 486e5fdab33499b6a5b1085b38ee7bd2e4eba907 194830 
tomcat8-examples_8.0.14-1+deb8u10_all.deb
 2fd45827426af6ce16671bcd569004f0334c5d5e 690056 
tomcat8-docs_8.0.14-1+deb8u10_all.deb
Checksums-Sha256:
 a9b7bceacff85893701c290ff24dbca64c98bee34d4b0da3459194029d0a5d56 3013 
tomcat8_8.0.14-1+deb8u10.dsc
 e43fc24db9446eba1bf8b68e8c031b71ccef26b0695188fb05c1ccaa3d516042 77852 
tomcat8_8.0.14-1+deb8u10.debian.tar.xz
 a1fef9265283f21f99f641fb9890ec3337f5ea1fd59795551164a1396ecb025a 58388 
tomcat8-common_8.0.14-1+deb8u10_all.deb
 c6cacc3a0c400da43c76e3067f5ffff9c0e070b2d1d66ee178f855a11cd9b2f4 48120 
tomcat8_8.0.14-1+deb8u10_all.deb
 17728d81b3393c98013aa879d9bd1811bdea766a859b5269ac975fe2c30f9d41 35558 
tomcat8-user_8.0.14-1+deb8u10_all.deb
 e0d19dc72d527bc2c8df6877d56255fd132812ee57261072848c165e807abc40 4592508 
libtomcat8-java_8.0.14-1+deb8u10_all.deb
 58e2041b84de498ac6971cbd44aa96d3e706e7a32d260bedee7fccf896f994e6 392968 
libservlet3.1-java_8.0.14-1+deb8u10_all.deb
 fc1cf9b33d5832978f75876e3fe642566115802a6e07106d4315aed982c1c5f9 247930 
libservlet3.1-java-doc_8.0.14-1+deb8u10_all.deb
 869d729b1d52be7a13bfd57b94f9d5a13527233ec0358674157faa3a48de13c9 36988 
tomcat8-admin_8.0.14-1+deb8u10_all.deb
 67362674e90e9e07aab912a26737c1290114af069aa1c3ed30868c31e545f278 194830 
tomcat8-examples_8.0.14-1+deb8u10_all.deb
 d6a1e5a113c5396d68b801d25422b364463bdcdfc7e74ad46be8e7b490eed500 690056 
tomcat8-docs_8.0.14-1+deb8u10_all.deb
Files:
 fef02d27967ab21df4c12e6dc2f49c15 3013 java optional 
tomcat8_8.0.14-1+deb8u10.dsc
 ec911468b97612986c65c4a04fcd9d46 77852 java optional 
tomcat8_8.0.14-1+deb8u10.debian.tar.xz
 a7fefff5e159e54ce79d0d2e54ccc1b4 58388 java optional 
tomcat8-common_8.0.14-1+deb8u10_all.deb
 e02d0608b563245910b34f32995a6ed4 48120 java optional 
tomcat8_8.0.14-1+deb8u10_all.deb
 e7e27e763866442697073b90b2de9f91 35558 java optional 
tomcat8-user_8.0.14-1+deb8u10_all.deb
 fb62929705dbe47cf4972b525e890ea1 4592508 java optional 
libtomcat8-java_8.0.14-1+deb8u10_all.deb
 cb959fb2271ff903e6d5c79cfcc94c56 392968 java optional 
libservlet3.1-java_8.0.14-1+deb8u10_all.deb
 c9e8a2ca571525f9956609f91ea2ce66 247930 doc optional 
libservlet3.1-java-doc_8.0.14-1+deb8u10_all.deb
 529f3b30dd29da0b4d0bf3d8dec83218 36988 java optional 
tomcat8-admin_8.0.14-1+deb8u10_all.deb
 a03a32e2e8b4636f480a0dd5a9f421aa 194830 java optional 
tomcat8-examples_8.0.14-1+deb8u10_all.deb
 5e8dccb7e192ceff4c28cd1ea0a5b2f9 690056 doc optional 
tomcat8-docs_8.0.14-1+deb8u10_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllJapFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkAqcP+wTqJLJFzjIUVGcnTk7JecTv7/aHbqbompXN
kbhRBMzwHEPvRcTM+c0q3cnmi/h1RracpD1LCm3N6gjgGo3mWm/qqHSf2zJxEwNy
qDdsqAJxRYi39t0Cqnre2Z5Q5OBrhcIrb3TXGd7CES9XTVreq1QO8hTTBOmQY6JS
SjqYef2yJQFv3RKC1/vKqt/Sd+cpshfGTinz74d8mw2rOz0P2wd0K/hkPahbJM1r
30XWZX+A05Wq/YvXK5aq2aVKn1A8UHhnnK3q555OaS1Khg/KqqXRzSeDum2U65IU
PtkvQ9aRs8XfvqpHnJlpzlOi0zLT5tWcFk0VIMmjkAI2HUb9J2KDuMHID6iw5pj6
27ZaDMrHrykNIXEUFF9flFXt1nVZm4C6oKeYzPfEW1z6sS0as/QHdE/FAnXAzJgH
iq7syumJmf0ZEt80uR4ylRkWnKpM+GCp0TM/Pjki/IZ/QP4mOXnow4kg4+D5K4KT
CDKycRD77VRluJ3Ncpd+7wmPaGQ6LRQDUhFGLy2CsihnGfL1lRH615fpoagayI+S
v0xLQfGr5aJeikdPq1Ska5xs0Rt5C/lnvKc+jjizx7q3Waqmzp0Hls3n0gK//W2x
CmWxa2f71NcQrnrKkJjw7ENhm6oENBgasdZfZIDgQ7EHIcII8ESA67SxvuY7o9TE
jnq75SKG
=QZaQ
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to