[ubuntu/xenial-security] tomcat8 8.0.32-1ubuntu1.6 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed May 30 17:35:39 UTC 2018
tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
- debian/patches/CVE-2017-12617.patch: add checks to
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
java/org/apache/catalina/webresources/DirResourceSet.java,
java/org/apache/tomcat/util/compat/JrePlatform.java,
test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
- CVE-2017-12617
* SECURITY UPDATE: security constraints mapped to context root are ignored
- debian/patches/CVE-2018-1304.patch: add check to
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2018-1304
* SECURITY UPDATE: security constraint annotations applied too late
- debian/patches/CVE-2018-1305.patch: change ordering in
java/org/apache/catalina/Wrapper.java,
java/org/apache/catalina/authenticator/AuthenticatorBase.java,
java/org/apache/catalina/core/ApplicationContext.java,
java/org/apache/catalina/core/ApplicationServletRegistration.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/StandardWrapper.java,
java/org/apache/catalina/startup/ContextConfig.java,
java/org/apache/catalina/startup/Tomcat.java,
java/org/apache/catalina/startup/WebAnnotationSet.java.
- CVE-2018-1305
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/patches/CVE-2018-8014.patch: change defaults in
java/org/apache/catalina/filters/CorsFilter.java,
java/org/apache/catalina/filters/LocalStrings.properties,
test/org/apache/catalina/filters/TestCorsFilter.java,
test/org/apache/catalina/filters/TesterFilterConfigs.java.
- CVE-2018-8014
Date: 2018-05-29 14:00:27.571791+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.6
-------------- next part --------------
Sorry, changesfile not available.
More information about the Xenial-changes
mailing list