group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1721749] Re: Security Fix - CVE-2017-12617

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <1721749@xxxxxxxxxxxxxxxxxx>
Date: Sat, 09 Jan 2021 06:20:56 -0000
Reply-to: Bug 1721749 <1721749@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-1261x.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java
      java/org/apache/naming/resources/FileDirContext.java,
      java/org/apache/naming/resources/JrePlatform.java,
      java/org/apache/naming/resources/LocalStrings.properties,
      java/org/apache/naming/resources/VirtualDirContext.java,
      test/org/apache/naming/resources/TestFileDirContext.java.
    - CVE-2017-12616
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Tue, 29 May 2018
10:22:42 -0400

** Also affects: tomcat7 (Ubuntu)
   Importance: Undecided
       Status: New

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1261

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12616

** Changed in: tomcat7 (Ubuntu Trusty)
       Status: New => Fix Released

** No longer affects: tomcat8 (Ubuntu Trusty)

** Changed in: tomcat7 (Ubuntu Artful)
       Status: New => Won't Fix

** No longer affects: tomcat7 (Ubuntu)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1721749

Title:
  Security Fix - CVE-2017-12617

Status in tomcat8 package in Ubuntu:
  Fix Released
Status in tomcat7 source package in Trusty:
  Fix Released
Status in tomcat7 source package in Xenial:
  New
Status in tomcat8 source package in Xenial:
  Fix Released
Status in tomcat7 source package in Artful:
  Won't Fix
Status in tomcat8 source package in Artful:
  Fix Released
Status in tomcat7 source package in Bionic:
  New
Status in tomcat8 source package in Bionic:
  Fix Released

Bug description:
  Tomcat Versions earlier than 7.0.82, 8.0.47, 8.5.23 or 9.0.1 (beta) are containing the vulnerability
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617 (Severity: Important)

  The tomcat8 package in ubuntu xenial wasn't updated in the last
  month's so I don't think there was a  backport of the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions