tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-1261x.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java java/org/apache/naming/resources/FileDirContext.java, java/org/apache/naming/resources/JrePlatform.java, java/org/apache/naming/resources/LocalStrings.properties, java/org/apache/naming/resources/VirtualDirContext.java, test/org/apache/naming/resources/TestFileDirContext.java. - CVE-2017-12616 - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014
-- Marc Deslauriers <email address hidden> Tue, 29 May 2018 10:22:42 -0400
tomcat7 (7.0.52- 1ubuntu0. 14) trusty-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) patches/ CVE-2017- 1261x.patch: add checks to org/apache/ catalina/ servlets/ DefaultServlet. java org/apache/ naming/ resources/ FileDirContext. java, org/apache/ naming/ resources/ JrePlatform. java, org/apache/ naming/ resources/ LocalStrings. properties, org/apache/ naming/ resources/ VirtualDirConte xt.java, org/apache/ naming/ resources/ TestFileDirCont ext.java. patches/ CVE-2018- 1304.patch: add check to org/apache/ catalina/ realm/RealmBase .java. patches/ CVE-2018- 1305.patch: change ordering in org/apache/ catalina/ Wrapper. java, org/apache/ catalina/ authenticator/ AuthenticatorBa se.java, org/apache/ catalina/ core/Applicatio nContext. java, org/apache/ catalina/ core/Applicatio nServletRegistr ation.java, org/apache/ catalina/ core/StandardCo ntext.java, org/apache/ catalina/ core/StandardWr apper.java, org/apache/ catalina/ startup/ ContextConfig. java, org/apache/ catalina/ startup/ Tomcat. java, org/apache/ catalina/ startup/ WebAnnotationSe t.java. patches/ CVE-2018- 8014.patch: change defaults in org/apache/ catalina/ filters/ CorsFilter. java, org/apache/ catalina/ filters/ LocalStrings. properties, org/apache/ catalina/ filters/ TestCorsFilter. java, org/apache/ catalina/ filters/ TesterFilterCon figs.java.
- debian/
java/
java/
java/
java/
java/
test/
- CVE-2017-12616
- CVE-2017-12617
* SECURITY UPDATE: security constraints mapped to context root are ignored
- debian/
java/
- CVE-2018-1304
* SECURITY UPDATE: security constraint annotations applied too late
- debian/
java/
java/
java/
java/
java/
java/
java/
java/
java/
- CVE-2018-1305
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/
java/
java/
test/
test/
- CVE-2018-8014
-- Marc Deslauriers <email address hidden> Tue, 29 May 2018 10:22:42 -0400