tomcat8 (8.0.32-1ubuntu1.13) xenial-security; urgency=medium
* SECURITY UPDATE: infinite loop via invalid payload length
- debian/patches/CVE-2020-13935.patch: add additional payload length
validation in java/org/apache/tomcat/websocket/WsFrameBase.java,
java/org/apache/tomcat/websocket/LocalStrings.properties.
- CVE-2020-13935
* SECURITY UPDATE: HTTP Request Smuggling via invalid request smuggling
- debian/patches/CVE-2020-1935.patch: use stricter header value
parsing in java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/tomcat/util/http/MimeHeaders.java,
java/org/apache/tomcat/util/http/parser/HttpParser.java,
test/org/apache/coyote/http11/TestInternalInputBuffer.java.
- CVE-2020-1935
* SECURITY UPDATE: remote code execution via deserialization of a file
under the attacker's control
- debian/patches/CVE-2020-9484.patch: improve validation of storage
location when using FileStore in
java/org/apache/catalina/session/FileStore.java,
java/org/apache/catalina/session/LocalStrings.properties.
- CVE-2020-9484
Date: 2020-08-03 12:05:24.815255+00:00
Changed-By: Marc Deslauriers <[email protected]>
Signed-By: Ubuntu Archive Robot
<[email protected]>
https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.13
Sorry, changesfile not available.
--
Xenial-changes mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/xenial-changes
