[ubuntu/xenial-security] tomcat8 8.0.32-1ubuntu1.13 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Aug 4 16:50:49 UTC 2020
tomcat8 (8.0.32-1ubuntu1.13) xenial-security; urgency=medium
* SECURITY UPDATE: infinite loop via invalid payload length
- debian/patches/CVE-2020-13935.patch: add additional payload length
validation in java/org/apache/tomcat/websocket/WsFrameBase.java,
java/org/apache/tomcat/websocket/LocalStrings.properties.
- CVE-2020-13935
* SECURITY UPDATE: HTTP Request Smuggling via invalid request smuggling
- debian/patches/CVE-2020-1935.patch: use stricter header value
parsing in java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/tomcat/util/http/MimeHeaders.java,
java/org/apache/tomcat/util/http/parser/HttpParser.java,
test/org/apache/coyote/http11/TestInternalInputBuffer.java.
- CVE-2020-1935
* SECURITY UPDATE: remote code execution via deserialization of a file
under the attacker's control
- debian/patches/CVE-2020-9484.patch: improve validation of storage
location when using FileStore in
java/org/apache/catalina/session/FileStore.java,
java/org/apache/catalina/session/LocalStrings.properties.
- CVE-2020-9484
Date: 2020-08-03 12:05:24.815255+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.13
-------------- next part --------------
Sorry, changesfile not available.
More information about the Xenial-changes
mailing list