group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1721749] Re: Security Fix - CVE-2017-12617

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1721749@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 May 2018 17:35:32 -0000
Reply-to: Bug 1721749 <1721749@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package tomcat8 - 8.5.21-1ubuntu1.1

---------------
tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: incorrectly documented CGI search algorithm
    - debian/patches/CVE-2017-15706.patch: adjust documentation in
      webapps/docs/cgi-howto.xml.
    - CVE-2017-15706
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Mon, 28 May 2018
09:03:55 -0400

** Changed in: tomcat8 (Ubuntu Artful)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15706

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1304

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1305

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8014

** Changed in: tomcat8 (Ubuntu Xenial)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1721749

Title:
  Security Fix - CVE-2017-12617

Status in tomcat8 package in Ubuntu:
  Fix Released
Status in tomcat8 source package in Trusty:
  New
Status in tomcat8 source package in Xenial:
  Fix Released
Status in tomcat8 source package in Artful:
  Fix Released
Status in tomcat8 source package in Bionic:
  Fix Released

Bug description:
  Tomcat Versions earlier than 7.0.82, 8.0.47, 8.5.23 or 9.0.1 (beta) are containing the vulnerability
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617 (Severity: Important)

  The tomcat8 package in ubuntu xenial wasn't updated in the last
  month's so I don't think there was a  backport of the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions