ubuntu/+source/tomcat8:applied/debian/stretch

Last commit made on 2018-11-10
Get this branch:
git clone -b applied/debian/stretch https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/stretch
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

19ad30f... by Markus Koschany <email address hidden> on 2018-08-24

Import patches-applied version 8.5.14-1+deb9u3 to applied/debian/stretch

Imported using git-ubuntu import.

Changelog parent: 0bd25f59af0183699d5bca56160fdadc2f3740dd
Unapplied parent: 6294ec78d682cfb1ea7fca9d7ffcfc719e96932d

New changelog entries:
  [ Emmanuel Bourg ]
  * Fixed CVE-2018-1304: Security constraints mapped to context root are
    ignored. The URL pattern of "" (the empty string) which exactly maps to the
    context root was not correctly handled when used as part of a security
    constraint definition. This caused the constraint to be ignored. It was,
    therefore, possible for unauthorised users to gain access to web
    application resources that should have been protected. Only security
    constraints with a URL pattern of the empty string were affected.
  * Fixed CVE-2018-1305: Security constraint annotations applied too late.
    Security constraints defined by annotations of Servlets were only applied
    once a Servlet had been loaded. Because security constraints defined in
    this way apply to the URL pattern and any URLs below that point, it was
    possible - depending on the order Servlets were loaded - for some security
    constraints not to be applied. This could have exposed resources to users
    who were not authorised to access them.
  * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
    the specification jars from libtomcat8-java instead of libservlet3.1-java
    (Closes: #867247)
  [ Markus Koschany ]
  * Fix CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder
    with supplementary characters can lead to an infinite loop in the decoder
    causing a Denial of Service.
  * Fix CVE-2018-8034: The host name verification when using TLS with the
    WebSocket client was missing. It is now enabled by default.
  * Fix CVE-2018-8037: If an async request was completed by the application at
    the same time as the container triggered the async timeout, a race condition
    existed that could result in a user seeing a response intended for a
    different user. An additional issue was present in the NIO and NIO2
    connectors that did not correctly track the closure of the connection when an
    async request was completed by the application and timed out by the container
    at the same time. This could also result in a user seeing a response intended
    for another user.

6294ec7... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2018-8037

Gbp-Pq: CVE-2018-8037.patch.

1e2c02c... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2018-8034

Gbp-Pq: CVE-2018-8034.patch.

0005a8e... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2018-1336

Gbp-Pq: CVE-2018-1336.patch.

414395e... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2018-1305: Process all ServletSecurity annotations at web

Gbp-Pq: CVE-2018-1305.patch.

4d62911... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2018-1304: The URL pattern of "" (the empty string) which

Gbp-Pq: CVE-2018-1304.patch.

21e2d47... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2017-7675

Gbp-Pq: CVE-2017-7675.patch.

e74fcc9... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2017-7674

Gbp-Pq: CVE-2017-7674.patch.

b756cd4... by Markus Koschany <email address hidden> on 2018-08-24

CVE-2017-5664: Static error pages can be overwritten

Gbp-Pq: CVE-2017-5664.patch.

e656dac... by Markus Koschany <email address hidden> on 2018-08-24

Don't check the IDEA cipher during the tests since it is disabled in Debian (see #327739)

Gbp-Pq: 0021-dont-test-unsupported-ciphers.patch.