UbuntuUpdates.org

Package "tomcat8"

Name: tomcat8

Description:

Apache Tomcat 8 - Servlet and JSP engine
Latest version: 8.0.32-1ubuntu1.13
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://tomcat.apache.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "tomcat8"

All arch deb package
APT INSTALL

Other versions of "tomcat8" in Xenial

Repository Area Version
base universe 8.0.32-1ubuntu1
base main 8.0.32-1ubuntu1
security universe 8.0.32-1ubuntu1.13
updates main 8.0.32-1ubuntu1.13
updates universe 8.0.32-1ubuntu1.13

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.0.32-1ubuntu1.13 2020-08-04 19:07:00 UTC

  tomcat8 (8.0.32-1ubuntu1.13) xenial-security; urgency=medium

  * SECURITY UPDATE: infinite loop via invalid payload length
    - debian/patches/CVE-2020-13935.patch: add additional payload length
      validation in java/org/apache/tomcat/websocket/WsFrameBase.java,
      java/org/apache/tomcat/websocket/LocalStrings.properties.
    - CVE-2020-13935
  * SECURITY UPDATE: HTTP Request Smuggling via invalid request smuggling
    - debian/patches/CVE-2020-1935.patch: use stricter header value
      parsing in java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/tomcat/util/http/MimeHeaders.java,
      java/org/apache/tomcat/util/http/parser/HttpParser.java,
      test/org/apache/coyote/http11/TestInternalInputBuffer.java.
    - CVE-2020-1935
  * SECURITY UPDATE: remote code execution via deserialization of a file
    under the attacker's control
    - debian/patches/CVE-2020-9484.patch: improve validation of storage
      location when using FileStore in
      java/org/apache/catalina/session/FileStore.java,
      java/org/apache/catalina/session/LocalStrings.properties.
    - CVE-2020-9484

 -- Marc Deslauriers <email address hidden> Mon, 03 Aug 2020 06:53:09 -0400
Source diff to previous version
CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and
CVE-2020-1935 In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that al
CVE-2020-9484 When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to contr

Version: 8.0.32-1ubuntu1.11 2020-01-27 16:06:23 UTC

  tomcat8 (8.0.32-1ubuntu1.11) xenial-security; urgency=medium

  * SECURITY UPDATE: JMX interface authentication bypass
    - debian/patches/CVE-2019-12418.patch: refactor JMX remote RMI registry
      creation in JmxRemoteLifecycleListener.java.
    - CVE-2019-12418
  * SECURITY UPDATE: session fixation attack in FORM authentication
    - debian/patches/CVE-2019-17563.patch: refactor so Principal is never
      cached in session with cache==false in
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/authenticator/Constants.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2019-17563

 -- Marc Deslauriers <email address hidden> Fri, 24 Jan 2020 11:24:30 -0500
Source diff to previous version
CVE-2019-12418 When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker witho
CVE-2019-17563 When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker

Version: 8.0.32-1ubuntu1.10 2019-09-10 19:06:17 UTC
No changelog available yet.
Source diff to previous version

Version: 8.0.32-1ubuntu1.8 2018-10-10 16:06:25 UTC

  tomcat8 (8.0.32-1ubuntu1.8) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

 -- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:28:36 -0400
Source diff to previous version
CVE-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g.

Version: 8.0.32-1ubuntu1.7 2018-07-25 19:06:40 UTC

  tomcat8 (8.0.32-1ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
      java/org/apache/tomcat/util/buf/Utf8Decoder.java.
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
      java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
    - CVE-2018-8034

 -- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:17:36 -0400
CVE-2018-1336 A bug in the UTF-8 decoder can lead to DoS
CVE-2018-8034 host name verification missing in WebSocket client


About   -   Send Feedback to @ubuntu_updates