[Bug 1721749] Re: Security Fix - CVE-2017-12617
tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-1261x.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java java/org/apache/naming/resources/FileDirContext.java, java/org/apache/naming/resources/JrePlatform.java, java/org/apache/naming/resources/LocalStrings.properties, java/org/apache/naming/resources/VirtualDirContext.java, test/org/apache/naming/resources/TestFileDirContext.java. - CVE-2017-12616 - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers Tue, 29 May 2018 10:22:42 -0400 ** Also affects: tomcat7 (Ubuntu) Importance: Undecided Status: New ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1261 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12616 ** Changed in: tomcat7 (Ubuntu Trusty) Status: New => Fix Released ** No longer affects: tomcat8 (Ubuntu Trusty) ** Changed in: tomcat7 (Ubuntu Artful) Status: New => Won't Fix ** No longer affects: tomcat7 (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721749 Title: Security Fix - CVE-2017-12617 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1721749] Re: Security Fix - CVE-2017-12617
This bug was fixed in the package tomcat8 - 8.0.32-1ubuntu1.6 --- tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-12617.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/webresources/AbstractFileResourceSet.java, java/org/apache/catalina/webresources/DirResourceSet.java, java/org/apache/tomcat/util/compat/JrePlatform.java, test/org/apache/catalina/webresources/AbstractTestResourceSet.java, test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java. - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers Mon, 28 May 2018 13:21:29 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721749 Title: Security Fix - CVE-2017-12617 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1721749] Re: Security Fix - CVE-2017-12617
This bug was fixed in the package tomcat8 - 8.5.21-1ubuntu1.1 --- tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-12617.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/webresources/AbstractFileResourceSet.java, java/org/apache/catalina/webresources/DirResourceSet.java, java/org/apache/tomcat/util/compat/JrePlatform.java, test/org/apache/catalina/webresources/AbstractTestResourceSet.java, test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java. - CVE-2017-12617 * SECURITY UPDATE: incorrectly documented CGI search algorithm - debian/patches/CVE-2017-15706.patch: adjust documentation in webapps/docs/cgi-howto.xml. - CVE-2017-15706 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers Mon, 28 May 2018 09:03:55 -0400 ** Changed in: tomcat8 (Ubuntu Artful) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15706 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1304 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1305 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8014 ** Changed in: tomcat8 (Ubuntu Xenial) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721749 Title: Security Fix - CVE-2017-12617 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1721749] Re: Security Fix - CVE-2017-12617
fixed with 8.5.29-1 in bionic ** Also affects: tomcat8 (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: tomcat8 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: tomcat8 (Ubuntu Bionic) Importance: Undecided Status: Triaged ** Also affects: tomcat8 (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: tomcat8 (Ubuntu Bionic) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721749 Title: Security Fix - CVE-2017-12617 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1721749] Re: Security Fix - CVE-2017-12617
** Changed in: tomcat8 (Ubuntu) Status: New => Triaged ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721749 Title: Security Fix - CVE-2017-12617 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs