Ubuntu
tomcat7 package

tomcat7 needs update to 7.0.40

Bug #1178645 reported by H.-Dirk Schmitt
294
This bug affects 8 people
Affects Status Importance Assigned to Milestone
tomcat7 (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned

Bug Description

The new version has some more security fixed, which are not part of 7.0.34 (and .39).
Also a backport to precise [quantal, ...] is needed.

See announcement mail:
-----------------------

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.40.

Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages and Java Expression Language technologies.

This release contains a security fix and a number of bug fixes
and improvements compared to version 7.0.39. The notable changes include:
- A fix for CVE-2013-2071 (bug <bug>54178</bug>) an informatio
  disclosure issue.
- Various fixes to stop Tomcat attempting to parse text that looks like
  an EL expression in a JSP document as an EL expression when EL
  expressions are either not permitted or not enabled.
- Improved handling and reporting if a ConcurrentModificationException
  occurs while checking for memory leaks when a web application is
   being stopped.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

See original description
H.-Dirk Schmitt (dirk-computer42)
information type: Private Security → Public
H.-Dirk Schmitt (dirk-computer42)
description: updated
tags: added: precise quantal raring
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Marking as Public Security for the attention of the security team as it looks like this may affect Quantal and Raring, where tomcat is in main. tomcat is in universe in Oneiric and Precise.

information type: Public → Public Security
Marc Deslauriers (mdeslaur)
Changed in tomcat7 (Ubuntu Precise):
status: New → Confirmed
Changed in tomcat7 (Ubuntu Quantal):
status: New → Confirmed
Changed in tomcat7 (Ubuntu Raring):
status: New → Confirmed
Changed in tomcat7 (Ubuntu Saucy):
status: New → Confirmed
CSRedRat (csredrat)
tags: added: upgrade-software-version
James Page (james-page)
Changed in tomcat7 (Ubuntu Saucy):
status: Confirmed → Fix Released
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

The saucy version is not visible below http://packages.ubuntu.com/search?suite=saucy&keywords=tomcat7

Are there any additional changes to the debian 7.0.40-2 version ?
The reason for my question is my backport to precise in https://launchpad.net/~dirk-computer42/+archive/c42-backport
Currently it is based on the debian version.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like packages.ubuntu.com is out of date:

https://launchpad.net/ubuntu/+source/tomcat7/7.0.40-2

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat7 - 7.0.30-0ubuntu1.2

---------------
tomcat7 (7.0.30-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
  * SECURITY UPDATE: information leak via AsyncListeners and
    RuntimeExceptions (LP: #1178645)
    - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
      java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - CVE-2013-2071
  * Fix FTBFS due to expired test certificates:
    - d/keystores/*.jks: Newer keystores from upstream 7.0.39.
    - d/rules: Install newer keystores for testing, tidy up after use.
    - d/p/0018-update-test-certificates.patch: Cherry picked fixes from
      upstream VCS to update text based certificates.
 -- Marc Deslauriers <email address hidden> Thu, 23 May 2013 09:04:36 -0400

Changed in tomcat7 (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat7 - 7.0.35-1~exp2ubuntu1.1

---------------
tomcat7 (7.0.35-1~exp2ubuntu1.1) raring-security; urgency=low

  * SECURITY UPDATE: information leak via AsyncListeners and
    RuntimeExceptions (LP: #1178645)
    - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
      java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - CVE-2013-2071
 -- Marc Deslauriers <email address hidden> Tue, 21 May 2013 10:07:15 -0400

Changed in tomcat7 (Ubuntu Raring):
status: Confirmed → Fix Released
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

See https://bugs.launchpad.net/quantal-backports/+bug/1073159
The backport of 7.0.40 to **all** previous releases is still needed.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

Reason is CVE-2013-2071

Revision history for this message
Mark Kirk (mklists) wrote :

Hi, any movement on this for Precise? I'm waiting for this to apply to some 12.04LTS servers. Many thanks.

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote : Re: [Bug 1178645] Re: tomcat7 needs update to 7.0.40

Am 19.07.2013 05:24, schrieb Mark Kirk:
> Hi, any movement on this for Precise? I'm waiting for this to apply to
> some 12.04LTS servers. Many thanks.
>
 Have a look at
https://launchpad.net/~dirk-computer42/+archive/c42-backport for a
working backport to precise.

Best Regards,

H.-Dirk Schmitt

--
Signature H.-Dirk Schmitt
------------------------------------------------------------------------

*
H.-Dirk Schmitt <http://www.computer42.org>*
Dipl.Math.

eMail:/<email address hidden>/
mobile:/+49 177 616 8564/
phone: /+49 2642 99 41 14/
fax: /+49 2642 99 41 15/
Schillerstr. 42, D-53489 Sinzig

pgp: http://www.computer42.org/~dirk/OpenPGP-fingerprint.html
<http://www.computer42.org/%7Edirk/OpenPGP-fingerprint.html>

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Tomcat7 in 12.04 LTS is community supported -- H.-Dirk, is your backported package of sufficient quality that the debdiff could be used to provide an update for other precise users? Please see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for some details.

Thanks

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

See https://bugzilla.computer42.org/show_bug.cgi?id=2381 it is a simple "no change" backport from debian.

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in tomcat7 (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.