Security Fix - CVE-2017-12617

Bug #1721749 reported by sw on 2017-10-06
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tomcat8 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Artful
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

Tomcat Versions earlier than 7.0.82, 8.0.47, 8.5.23 or 9.0.1 (beta) are containing the vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617 (Severity: Important)

The tomcat8 package in ubuntu xenial wasn't updated in the last month's so I don't think there was a backport of the fix.

Steve Beattie (sbeattie) on 2017-10-06
Changed in tomcat8 (Ubuntu):
status: New → Triaged
information type: Private Security → Public Security
Matthias Klose (doko) wrote :

fixed with 8.5.29-1 in bionic

Changed in tomcat8 (Ubuntu Bionic):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat8 - 8.5.21-1ubuntu1.1

---------------
tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: incorrectly documented CGI search algorithm
    - debian/patches/CVE-2017-15706.patch: adjust documentation in
      webapps/docs/cgi-howto.xml.
    - CVE-2017-15706
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden> Mon, 28 May 2018 09:03:55 -0400

Changed in tomcat8 (Ubuntu Artful):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat8 - 8.0.32-1ubuntu1.6

---------------
tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden> Mon, 28 May 2018 13:21:29 -0400

Changed in tomcat8 (Ubuntu Xenial):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers