tomcat7 needs update to 7.0.40

Bug #1178645 reported by H.-Dirk Schmitt on 2013-05-10
294
This bug affects 8 people
Affects Status Importance Assigned to Milestone
tomcat7 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned

Bug Description

The new version has some more security fixed, which are not part of 7.0.34 (and .39).
Also a backport to precise [quantal, ...] is needed.

See announcement mail:
-----------------------

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.40.

Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages and Java Expression Language technologies.

This release contains a security fix and a number of bug fixes
and improvements compared to version 7.0.39. The notable changes include:
- A fix for CVE-2013-2071 (bug <bug>54178</bug>) an informatio
  disclosure issue.
- Various fixes to stop Tomcat attempting to parse text that looks like
  an EL expression in a JSP document as an EL expression when EL
  expressions are either not permitted or not enabled.
- Improved handling and reporting if a ConcurrentModificationException
  occurs while checking for memory leaks when a web application is
   being stopped.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

information type: Private Security → Public
description: updated
tags: added: precise quantal raring
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Marking as Public Security for the attention of the security team as it looks like this may affect Quantal and Raring, where tomcat is in main. tomcat is in universe in Oneiric and Precise.

information type: Public → Public Security
Changed in tomcat7 (Ubuntu Precise):
status: New → Confirmed
Changed in tomcat7 (Ubuntu Quantal):
status: New → Confirmed
Changed in tomcat7 (Ubuntu Raring):
status: New → Confirmed
Changed in tomcat7 (Ubuntu Saucy):
status: New → Confirmed
CSRedRat (csredrat) on 2013-05-11
tags: added: upgrade-software-version
James Page (james-page) on 2013-05-16
Changed in tomcat7 (Ubuntu Saucy):
status: Confirmed → Fix Released

The saucy version is not visible below http://packages.ubuntu.com/search?suite=saucy&keywords=tomcat7

Are there any additional changes to the debian 7.0.40-2 version ?
The reason for my question is my backport to precise in https://launchpad.net/~dirk-computer42/+archive/c42-backport
Currently it is based on the debian version.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Marc Deslauriers (mdeslaur) wrote :

Looks like packages.ubuntu.com is out of date:

https://launchpad.net/ubuntu/+source/tomcat7/7.0.40-2

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat7 - 7.0.30-0ubuntu1.2

---------------
tomcat7 (7.0.30-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
  * SECURITY UPDATE: information leak via AsyncListeners and
    RuntimeExceptions (LP: #1178645)
    - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
      java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - CVE-2013-2071
  * Fix FTBFS due to expired test certificates:
    - d/keystores/*.jks: Newer keystores from upstream 7.0.39.
    - d/rules: Install newer keystores for testing, tidy up after use.
    - d/p/0018-update-test-certificates.patch: Cherry picked fixes from
      upstream VCS to update text based certificates.
 -- Marc Deslauriers <email address hidden> Thu, 23 May 2013 09:04:36 -0400

Changed in tomcat7 (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat7 - 7.0.35-1~exp2ubuntu1.1

---------------
tomcat7 (7.0.35-1~exp2ubuntu1.1) raring-security; urgency=low

  * SECURITY UPDATE: information leak via AsyncListeners and
    RuntimeExceptions (LP: #1178645)
    - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
      java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - CVE-2013-2071
 -- Marc Deslauriers <email address hidden> Tue, 21 May 2013 10:07:15 -0400

Changed in tomcat7 (Ubuntu Raring):
status: Confirmed → Fix Released

See https://bugs.launchpad.net/quantal-backports/+bug/1073159
The backport of 7.0.40 to **all** previous releases is still needed.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Reason is CVE-2013-2071

Mark Kirk (mklists) wrote :

Hi, any movement on this for Precise? I'm waiting for this to apply to some 12.04LTS servers. Many thanks.

Am 19.07.2013 05:24, schrieb Mark Kirk:
> Hi, any movement on this for Precise? I'm waiting for this to apply to
> some 12.04LTS servers. Many thanks.
>
Have a look at
https://launchpad.net/~dirk-computer42/+archive/c42-backport for a
working backport to precise.

Best Regards,

H.-Dirk Schmitt

--
Signature H.-Dirk Schmitt
------------------------------------------------------------------------

*
H.-Dirk Schmitt <http://www.computer42.org>*
Dipl.Math.

eMail:/<email address hidden>/
mobile:/+49 177 616 8564/
phone: /+49 2642 99 41 14/
fax: /+49 2642 99 41 15/
Schillerstr. 42, D-53489 Sinzig

pgp: http://www.computer42.org/~dirk/OpenPGP-fingerprint.html
<http://www.computer42.org/%7Edirk/OpenPGP-fingerprint.html>

Seth Arnold (seth-arnold) wrote :

Tomcat7 in 12.04 LTS is community supported -- H.-Dirk, is your backported package of sufficient quality that the debdiff could be used to provide an update for other precise users? Please see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for some details.

Thanks

See https://bugzilla.computer42.org/show_bug.cgi?id=2381 it is a simple "no change" backport from debian.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers