[SECURITY] [DLA 2596-1] tomcat8 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2594-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 15, 2021https://wiki.debian.org/LTS - - Package: tomcat8 Version: 8.5.54-0+deb9u6 CVE ID : CVE-2021-24122 CVE-2021-25122 CVE-2021-25329 Three security issues have been detected in tomcat8. CVE-2021-24122 When serving resources from a network location using the NTFS file system, Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. CVE-2021-25122 When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. CVE-2021-25329 The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to 8.5.61 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u6. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBQQhsACgkQ0+Fzg8+n /wb10hAAmvm8DDeYNtmEam4gMC6kJ3K5nHu64v8QXiF9ecZTJgHzH4vNLlVc1jUT xBiiQOpJi+5abkMomOnpmHc1ZadmtltPzk1zprds9QqkPbbAOYwl7hzM0MQVcQ2f 4GsRpuLuVxNvjRLEyhUurqXX8/uQ4IuhF19SzOqsP0DOZYuDVptUEfmv9jySO13W xLkQtDLey9GV5y95X+s++hcyxZgJTrpWL6UFnhtqYE14TgP4zngh8ivwNmZ0nabp /gYRdxcKfu5j7J1+bc7hSGzYJtkUu3mjyGjaE6UcYH87cM7dUSofwwVeYFhap7Kf 8FWJwpAVmB9NTbaQIJ37Dd2ThG1a9MTwUtUy1WmZ9kTMbpJBGzfU+dWx90cm2Vg/ kvZWSX2VnKfxpZgJqxpCdvLD6IRz97Sy1rLie9Tx9GePUEegaG4S8CWTzckV289F /ruBAPuvI2t/QT4DunX2+POzE3QzZ1kKYBZyT1F5nHHu2Gck/v4Tjp/wPzBkQl8m izP2Ctj9eITKszjydYcTdEc+7jKpjjIW8xxYAKuhaKurzvCXJGqKyOxZ1nU1+AqN 38genI5bhGk6HojKvGWrjW/O2jFjaEysWr801jo/BsLvoxJfFFNcItmLxKhwBZyP +hOP6j9Rv/wrRYjjNaO+2sHeTYDe+b8YQL5uKe407rS3y4i+Pxk= =E9kd -END PGP SIGNATURE-
Accepted tomcat8 8.5.54-0+deb9u6 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 15 Mar 2021 21:18:04 +0100 Source: tomcat8 Architecture: source Version: 8.5.54-0+deb9u6 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Anton Gladky Changes: tomcat8 (8.5.54-0+deb9u6) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2021-25122 When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. * Fix CVE-2021-25329 The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to 8.5.61 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. * Fix CVE-2021-24122 When serving resources from a network location using the NTFS file system, Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. Checksums-Sha1: 10bcfc03798e49fe012d387cbff2b76ce61ad423 2950 tomcat8_8.5.54-0+deb9u6.dsc 4114d45265829b2a3c4c841c2844f9f0d4530c54 51720 tomcat8_8.5.54-0+deb9u6.debian.tar.xz bc9407b8995bba74ad756b84b0a30ec3c9ed655b 7350 tomcat8_8.5.54-0+deb9u6_source.buildinfo Checksums-Sha256: daea5051024ffebbb44b9f0bce580055f69c245502f431660a02b05eb137324d 2950 tomcat8_8.5.54-0+deb9u6.dsc 60fc007b77b1bddbbee8d14e5dfd67e1d4f8d0c81de730915f251fc9d6aad0af 51720 tomcat8_8.5.54-0+deb9u6.debian.tar.xz c3d7487cbd41e989c5b7e9dd435a210c0144c290889a3cba067c042e0c44a534 7350 tomcat8_8.5.54-0+deb9u6_source.buildinfo Files: 343e4b6277025352c6a42d4b7911c9f4 2950 java optional tomcat8_8.5.54-0+deb9u6.dsc fb4a9142fe44b0c350b31caae842 51720 java optional tomcat8_8.5.54-0+deb9u6.debian.tar.xz 21b00200fba62abd6bac14371b5b1321 7350 java optional tomcat8_8.5.54-0+deb9u6_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBPwzYACgkQ0+Fzg8+n /wa/3RAAh5RokR1I24aNRCfTg05MfWK8ZKse4hEuADg8gwu9nO5IjUWB4QDk1BU8 langHfkyG7g7CkGYclw+IRWphWIIMVSZ8n2gaQcqqTTHnQDJdjmjC/kxc9ti7/5F aDqk9Ib3bBKrV7g97dgNtQ1HWvNeyydhAOY4yUhSKpIV40G+CKf8UDNSnMjNo50s 9OZWVpibLEyv7PNu8TqhFmjH4rX6vhLgUcOvoHrQMEZOX3KmynqjjEfXxECTYQ6F SEtGrdYZ6bq79dDwUJqEe8nqZKh7TWrKJAomiP3+vB3eFka5X7llHNnSmpN1z1Z3 70QYmpzaapobz9zaKgdf5yDEAtDsFlgnDvGwQdCWEC++Qs5Ry43J0R33jgP720Pq kMDHRwQ3qgn+CHMd1oyXqqT/b4tNENNcyhQQ99SsWFeiw0ZhmfibkLEi2V03PyTh L/SmBp+EdtLAFA6ggGuQkMUWjfo5e1LGi4mMdNVMyVFJvKUK27V53zPNXA7xn1KG fiXZo/r1ti4SJIpeYw4UIPXwMFpW9v94i9FtvEn7bWpK/5FoFPbCtbzHZcKh162E 3qLQ9GLoweOVLVzHjC2Pc18JiKksUhhY+wmVRV92+LEPqYHUv3GGzRmnfHrtEUwU L/gT0pC4yNXjyOdI43BSKt75bPxNcx4qRpg1uekZ6lOP5Aywp0k= =k8fb -END PGP SIGNATURE-
RE: [EXTERNAL] Re: Bug#962596: Backport to stretch?
Thanks so much, Utkarsh!
Damon
-Original Message-
From: Utkarsh Gupta
Sent: Saturday, March 13, 2021 11:10 AM
To: Damon Tivel ; Michael Simons (.NET)
Cc: debian-lts@lists.debian.org; 962...@bugs.debian.org; Jon Douglas
Subject: [EXTERNAL] Re: Bug#962596: Backport to stretch?
Hi Damon, Michael,
On Sat, Mar 13, 2021 at 9:55 PM Utkarsh Gupta wrote:
> So the upload should happen by this weekend!
This fix has now been patched, uploaded, accepted, and announced[1].
[1]:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.debian.org%2Fdebian-lts-announce%2F2021%2F03%2Fmsg00016.htmldata=04%7C01%7Cdtivel%40microsoft.com%7Cb5a86e2948784d65470108d8e653b8c6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637512594848578747%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=H%2BKizOZq2OXLdWF6H4F1x3vAzu8C385ScPXnq0fnqzQ%3Dreserved=0
This also means that the G/H issue
(https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNuGet%2FAnnouncements%2Fissues%2F49data=04%7C01%7Cdtivel%40microsoft.com%7Cb5a86e2948784d65470108d8e653b8c6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637512594848578747%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=FcWcz%2FigjEKS7CFn%2F60KVCsu8HRait8YELkKDvXW0%2Bw%3Dreserved=0)
can now be updated to mark Debian 9 ("stretch") as resolved. Should you need
any more information or help with this, please let me know.
- u
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today one package was unclaimed for LTS: - php-pear (Ola Lundqvist) and none for ELTS. Noone claimed 4 packages or more. Two DLAs which already had been reserved last week have not yet been published: - DLA 2592-1 (13 Mar 2021) (golang-1.8) - DLA 2591-1 (13 Mar 2021) (golang-1.7) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
DLA 2550-1: CVE-2020-27844: Patch present in source but not applied?
Hi Brian, LTS team, This was reported by the Ubuntu security team: The DLA 2550-1 update was aiming to fix CVE-2020-27844 as well, but it looks that whilst a patch is included in debian/patches the series files does not apply it. To be on safe side I have removed the listing for CVE-2020-27844 in the DLA 2550-1, but please double-check if this is correct? Regards, Salvatore
