Accepted tomcat8 8.0.14-1+deb8u15 (source all) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted tomcat8 8.0.14-1+deb8u15 (source all) into oldoldstable
From: Sylvain Beucler <beuc@debian.org>
Date: Tue, 13 Aug 2019 19:20:17 +0000
Message-id: <[🔎] E1hxcLB-0004zv-7e@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Aug 2019 16:22:22 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u15
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Changes:
 tomcat8 (8.0.14-1+deb8u15) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix flacky FTBFS by improving fix for CVE-2017-5647.
   * Refresh the expired SSL certificates used by the tests from
     freshly-renewed upstream Tomcat and adapt the test user DN.
   * Fix CVE-2019-0221:
     The SSI printenv command in Apache Tomcat echoes user provided
     data without escaping and is, therefore, vulnerable to XSS. SSI is
     disabled by default. The printenv command is intended for
     debugging and is unlikely to be present in a production website.
   * Fix CVE-2018-8014:
     The defaults settings for the CORS filter provided in Apache
     Tomcat are insecure and enable 'supportsCredentials' for all
     origins. It is expected that users of the CORS filter will have
     configured it appropriately for their environment rather than
     using it in the default configuration. Therefore, it is expected
     that most users will not be impacted by this issue.
   * Fix CVE-2016-5388:
     Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875
     section 4.1.18 and therefore does not protect applications from
     the presence of untrusted client data in the HTTP_PROXY
     environment variable, which might allow remote attackers to
     redirect an application's outbound HTTP traffic to an arbitrary
     proxy server via a crafted Proxy header in an HTTP request, aka an
     "httpoxy" issue.  The 'cgi' servlet now has a 'envHttpHeaders'
     parameter to filter environment variables.
Checksums-Sha1:
 fe27608a17a27924d52db098d9609afa691a7694 2517 tomcat8_8.0.14-1+deb8u15.dsc
 5641f2ec4b8e89276ad614cba3bd154802fa1a3c 92272 tomcat8_8.0.14-1+deb8u15.debian.tar.xz
 f6d74cfbf3dfc83a23e3e6c074e1fae9265d0b16 60006 tomcat8-common_8.0.14-1+deb8u15_all.deb
 f46f66c25347eb38f78279531236dea4e5cdcaec 49564 tomcat8_8.0.14-1+deb8u15_all.deb
 521836a26bf198eafb1ae86517f1084bc29d1f86 37050 tomcat8-user_8.0.14-1+deb8u15_all.deb
 7d2cb1f17f1cc5b6c2973d12e1f4e4c59854d727 4594576 libtomcat8-java_8.0.14-1+deb8u15_all.deb
 f9e44c59af699e57d418e2f85440decdda7c271f 394400 libservlet3.1-java_8.0.14-1+deb8u15_all.deb
 79fc470fe8d20d4d721bf8c4710445c8153280da 250548 libservlet3.1-java-doc_8.0.14-1+deb8u15_all.deb
 1e7f9bc6c6e743b8a73c12b8673338e735a0c9f8 38388 tomcat8-admin_8.0.14-1+deb8u15_all.deb
 42cdd479ca7f71dae04ceeff47f721063d3dd89f 196858 tomcat8-examples_8.0.14-1+deb8u15_all.deb
 ccd0f46e45c9329b54ff7ee631361c9247450cd1 692406 tomcat8-docs_8.0.14-1+deb8u15_all.deb
Checksums-Sha256:
 e654d15fcb648124fe2b65efc35992565895683b998058bf4a5852ba85766cbf 2517 tomcat8_8.0.14-1+deb8u15.dsc
 b2d01e501c0d738befa1abf95d988c01112acbb62d1adbeb7f65901e7d7b4cee 92272 tomcat8_8.0.14-1+deb8u15.debian.tar.xz
 791eff670cb1e0177bb3dd0958528836ea8dd345502450c4003a81d67d54f50d 60006 tomcat8-common_8.0.14-1+deb8u15_all.deb
 dfe22f4b6fce1e38128cce6b87a770c32ae464cc9667b06d1fe5910ff5ab45c9 49564 tomcat8_8.0.14-1+deb8u15_all.deb
 d07ee0c79bf07ba93f7cf47c9747a9fb231edb7230e58d2942914357999f42f5 37050 tomcat8-user_8.0.14-1+deb8u15_all.deb
 ae5d19db78b5d7540c95ab22f9456758a08be9426e952e3bf0b01f0338672376 4594576 libtomcat8-java_8.0.14-1+deb8u15_all.deb
 c480aa39e2896cf43a9ccd433242bcef7b03da11b14089eb85f70ce415e3683b 394400 libservlet3.1-java_8.0.14-1+deb8u15_all.deb
 93b0aa28890ca0f8c48a8e5ec68cd6c366854ccf8c469940d252b49a2ed7596f 250548 libservlet3.1-java-doc_8.0.14-1+deb8u15_all.deb
 f620aba9a6b8cd65feb6ae4689546c9ba73297087dd52672e403ca653c3e4f70 38388 tomcat8-admin_8.0.14-1+deb8u15_all.deb
 75de37a1fe40dc3661ee4a1f3df6aac97529f4b9791f45223a0bc3ca7203e385 196858 tomcat8-examples_8.0.14-1+deb8u15_all.deb
 db8dcd994f5981e4a16409efa39ade4f17b3cb1a523cac2513b23f53c1e056c0 692406 tomcat8-docs_8.0.14-1+deb8u15_all.deb
Files:
 1b9ea25c0d2b4ea6f4233ac90b5b8fd1 2517 java optional tomcat8_8.0.14-1+deb8u15.dsc
 52df9bf9b76573a065fb2c218a83d459 92272 java optional tomcat8_8.0.14-1+deb8u15.debian.tar.xz
 fa0ae07d4027829ff02e25e5f47af3e5 60006 java optional tomcat8-common_8.0.14-1+deb8u15_all.deb
 a262aa291a174e2ebee244bccbfa210d 49564 java optional tomcat8_8.0.14-1+deb8u15_all.deb
 c7998d0fc31197e3598144c8c7b70559 37050 java optional tomcat8-user_8.0.14-1+deb8u15_all.deb
 5705f476d456dca6db80ff399e99a429 4594576 java optional libtomcat8-java_8.0.14-1+deb8u15_all.deb
 9e77f6cdbbbd0a533ede36833756e42c 394400 java optional libservlet3.1-java_8.0.14-1+deb8u15_all.deb
 9acd55d2fd65abaeaaf4e1936e5080ef 250548 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u15_all.deb
 743d63d2e2f23e39e015c3519067b73a 38388 java optional tomcat8-admin_8.0.14-1+deb8u15_all.deb
 064895a95f89b16744f17424f7e0cd93 196858 java optional tomcat8-examples_8.0.14-1+deb8u15_all.deb
 357d64eec3310d91d61eb11bf15b9769 692406 doc optional tomcat8-docs_8.0.14-1+deb8u15_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl1S+1MACgkQj/HLbo2J
BZ+4+AgAg0P0ZQqaQGy6IFC3vLLgVPMMG676hMWkpFtk0ikMCCF5aPGzzz6a2161
AQBH90I++mMVGbN4GYy6XyS319Hjh13ztjaNcMo9+EweAYWfnlqe+s7NywTHQYk2
mvWk56urU2qbf8Vld1xEbMobXajREp19J0uUTZdbwEN0MdVqEEBlHVcI0F/0WB+g
/Xq0Va5S3ZR7Cz4suKtuD/jvvsB6lZOOPYqx4EZ0BXxXY5gtSnfT9M3bKbynsejf
uEs6s272Llg49ePYU+a7+tN2BRWl1JOJrTf8rFFPVbNNODhAd1opPlvAtlYbrJ7W
I4w67vwtWao1Jxk2FcZGJ4EDwe4/bA==
=fONq
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted atril 1.8.1+dfsg1-4+deb8u2 (source all amd64) into oldoldstable
Next by Date: Accepted linux 3.16.72-1 (all source) into oldoldstable
Previous by thread: Accepted atril 1.8.1+dfsg1-4+deb8u2 (source all amd64) into oldoldstable
Next by thread: Accepted linux 3.16.72-1 (all source) into oldoldstable
Index(es):
- Date
- Thread