Your message dated Thu, 21 May 2020 14:36:20 +0000 with message-id <e1jbmj2-0006jj...@fasolo.debian.org> and subject line Bug#961209: fixed in tomcat9 9.0.35-1 has caused the Debian Bug report #961209, regarding tomcat9: CVE-2020-9484 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961209: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961209 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tomcat9 Version: 9.0.34-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 9.0.31-1~deb10u1 Control: found -1 9.0.16-4 Hi, The following vulnerability was published for tomcat9. CVE-2020-9484[0]: | When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to | 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able | to control the contents and name of a file on the server; and b) the | server is configured to use the PersistenceManager with a FileStore; | and c) the PersistenceManager is configured with | sessionAttributeValueClassNameFilter="null" (the default unless a | SecurityManager is used) or a sufficiently lax filter to allow the | attacker provided object to be deserialized; and d) the attacker knows | the relative file path from the storage location used by FileStore to | the file the attacker has control over; then, using a specifically | crafted request, the attacker will be able to trigger remote code | execution via deserialization of the file under their control. Note | that all of conditions a) to d) must be true for the attack to | succeed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-9484 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484 [1] https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tomcat9 Source-Version: 9.0.35-1 Done: Emmanuel Bourg <ebo...@apache.org> We believe that the bug you reported is fixed in the latest version of tomcat9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 21 May 2020 15:50:03 +0200 Source: tomcat9 Architecture: source Version: 9.0.35-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Closes: 961209 Changes: tomcat9 (9.0.35-1) unstable; urgency=medium . * New upstream release - Fixes CVE-2020-9484: Remote Code Execution via session persistence (Closes: #961209) - Refreshed the patches Checksums-Sha1: ce85823e1fe4ba757e639ca3bdeb6b6db6cf321a 2737 tomcat9_9.0.35-1.dsc dfd5dd2f5ed57ada9d95e5738b27fc487bc32706 3903000 tomcat9_9.0.35.orig.tar.xz 02fd85eb1833d4f3b6fe015151060250741acd20 33348 tomcat9_9.0.35-1.debian.tar.xz f2ecd1414cf937f54b01b265fed9d6f9fe4dbf16 12023 tomcat9_9.0.35-1_source.buildinfo Checksums-Sha256: ec605bfa3ab61fb8ed0d371a52e90d97083ddc9f5605895f4048edcc874fcd8d 2737 tomcat9_9.0.35-1.dsc 5c6ed35d2ef635c4e3cea63649f2f36050cd24eca46b10a29f58ae14a0d114c0 3903000 tomcat9_9.0.35.orig.tar.xz d7a73d083ca8dec6cf851238867fe52d84c0bf59b5291640e92d878adb2197f4 33348 tomcat9_9.0.35-1.debian.tar.xz 6b9a69b2d4365f8671d55e4199543f64e8e5058aafcccde797e2dbda49075174 12023 tomcat9_9.0.35-1_source.buildinfo Files: b6af53095e5b8d51cba1aa966674c946 2737 java optional tomcat9_9.0.35-1.dsc 483e1840c38d436cdf7722f6789728b1 3903000 java optional tomcat9_9.0.35.orig.tar.xz db7dc088cfaec9fb21d06e6d73ae9cd0 33348 java optional tomcat9_9.0.35-1.debian.tar.xz 230de0b65d9c1fd9318044bbe63f4e52 12023 java optional tomcat9_9.0.35-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl7Gh18SHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsVy4QAIDdBAb3gx7+rAZuI28mhJ000YV6Mf6K SdGcZ8LFuG6QqBzLiVaQwLkyujt8L6FH3uI9MltVwsjxkQC1bkR6zJDOmu6E8q4Q /8HINFRbF+DZ91vbibay9zxvQYFp+FMudkQBT/iqTb1ZeoPsEdgvPE4MCdmItvys u9utXiisgG4EyhmWO8WWQNWQCCh52zVc47KH6uugwdW2a/1j1hdK1HMkJ1MRvEdu /ty/ytuAY1zeEuozbuPDIcsFVCkLe8xcqt933GO7VbVwXfw2uYwD6QIve4deNmpR q+jFcoCc7/ynGL0mXGkeXedtXQbovLSdrmgCHvrGiwmxlFxo1qFzG+NSBX76dHcg oyAbXXc3eB5bQwf/qZkzq7vVdVc4Z50Ck9rIPSjdJpZXkyhxld/LeouIaDtyu4Ut r5GznPaLWsICsIRqYZkaalIlj5gpmkCo9Qo6RSG8g5kCMXrGCKSEK8lxSCU//3fi XiY0XptKW6pTmFrYqeZShxxHLK4+RwPN+m5uPOqQs+SZ9b3Iyz2GgQEnGJHEws5B HistWwxhukAVucY8bo/1JX2bSx4tEZAwiI3MLDAOb4oG3ywctWV1H48dCZx99DPg qBkQvMOwxZV8eEVqGFaEDbxW7VlOaTGHBUlvWrNB9BWX5T7bQZIxpsEInEwCNLDe wj7N/QlrG1C4 =UD5n -----END PGP SIGNATURE-----
--- End Message ---
