This bug was fixed in the package tomcat8 - 8.5.21-1ubuntu1.1
---------------
tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
- debian/patches/CVE-2017-12617.patch: add checks to
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
java/org/apache/catalina/webresources/DirResourceSet.java,
java/org/apache/tomcat/util/compat/JrePlatform.java,
test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
- CVE-2017-12617
* SECURITY UPDATE: incorrectly documented CGI search algorithm
- debian/patches/CVE-2017-15706.patch: adjust documentation in
webapps/docs/cgi-howto.xml.
- CVE-2017-15706
* SECURITY UPDATE: security constraints mapped to context root are ignored
- debian/patches/CVE-2018-1304.patch: add check to
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2018-1304
* SECURITY UPDATE: security constraint annotations applied too late
- debian/patches/CVE-2018-1305.patch: change ordering in
java/org/apache/catalina/Wrapper.java,
java/org/apache/catalina/authenticator/AuthenticatorBase.java,
java/org/apache/catalina/core/ApplicationContext.java,
java/org/apache/catalina/core/ApplicationServletRegistration.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/StandardWrapper.java,
java/org/apache/catalina/startup/ContextConfig.java,
java/org/apache/catalina/startup/Tomcat.java,
java/org/apache/catalina/startup/WebAnnotationSet.java.
- CVE-2018-1305
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/patches/CVE-2018-8014.patch: change defaults in
java/org/apache/catalina/filters/CorsFilter.java,
java/org/apache/catalina/filters/LocalStrings.properties,
test/org/apache/catalina/filters/TestCorsFilter.java,
test/org/apache/catalina/filters/TesterFilterConfigs.java.
- CVE-2018-8014
-- Marc Deslauriers <[email protected]> Mon, 28 May 2018
09:03:55 -0400
** Changed in: tomcat8 (Ubuntu Artful)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15706
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1304
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1305
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8014
** Changed in: tomcat8 (Ubuntu Xenial)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721749
Title:
Security Fix - CVE-2017-12617
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
