Ubuntu
tomcat8 package

Unfixed vulnerabilities of Tomcat 8.5 in Ubuntu 18.04

Bug #1785399 reported by Thomas Opfer
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat8 (Ubuntu)
Fix Released
Undecided
Steve Beattie

Bug Description

Hi,

is there any chance to get the vulnerabilities CVE-2018-1336, CVE-2018-8034 and CVE-2018-8037 fixed in Ubuntu 18.04. They seem to be fixed in 16.04 and 18.10 seems to be unaffected. There is no fix for 18.04 yet.

Please let me know if I can help somehow.

Best regards,
Thomas

Tags: patch

CVE References

Thomas Opfer (t.o)
information type: Public → Public Security
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

tomcat8 is in universe in 18.04, so it is dependent on the volunteers to provide security fixes. Please see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation if you can help with this.

Revision history for this message
Thomas Opfer (t.o) wrote :

I took the patches mentioned on https://tomcat.apache.org/security-8.html and created a debdiff file. Tomcat builds fine and starts.

I have never worked with debdiff files before. Can you please have a look at it and give me some feedback?

Best regards,
Thomas

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Fixes for CVE-2018-1336, CVE-2018-8034 and CVE-2018-8037 taken from svn.apache.org" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, I'm looking at this now.

Changed in tomcat8 (Ubuntu):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thomas, thanks for the debdiff. I have published this now: https://bugs.launchpad.net/ubuntu/+source/tomcat8/8.5.30-1ubuntu1.4

Changed in tomcat8 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.