This bug was fixed in the package tomcat8 - 8.5.21-1ubuntu1.1
--------------- tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-12617.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/webresources/AbstractFileResourceSet.java, java/org/apache/catalina/webresources/DirResourceSet.java, java/org/apache/tomcat/util/compat/JrePlatform.java, test/org/apache/catalina/webresources/AbstractTestResourceSet.java, test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java. - CVE-2017-12617 * SECURITY UPDATE: incorrectly documented CGI search algorithm - debian/patches/CVE-2017-15706.patch: adjust documentation in webapps/docs/cgi-howto.xml. - CVE-2017-15706 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014
-- Marc Deslauriers <email address hidden> Mon, 28 May 2018 09:03:55 -0400
This bug was fixed in the package tomcat8 - 8.5.21-1ubuntu1.1
---------------
tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) patches/ CVE-2017- 12617.patch: add checks to org/apache/ catalina/ servlets/ DefaultServlet. java, org/apache/ catalina/ webresources/ AbstractFileRes ourceSet. java, org/apache/ catalina/ webresources/ DirResourceSet. java, org/apache/ tomcat/ util/compat/ JrePlatform. java, org/apache/ catalina/ webresources/ AbstractTestRes ourceSet. java, org/apache/ catalina/ webresources/ TestAbstractFil eResourceSetPer formance. java. patches/ CVE-2017- 15706.patch: adjust documentation in docs/cgi- howto.xml. patches/ CVE-2018- 1304.patch: add check to org/apache/ catalina/ realm/RealmBase .java. patches/ CVE-2018- 1305.patch: change ordering in org/apache/ catalina/ Wrapper. java, org/apache/ catalina/ authenticator/ AuthenticatorBa se.java, org/apache/ catalina/ core/Applicatio nContext. java, org/apache/ catalina/ core/Applicatio nServletRegistr ation.java, org/apache/ catalina/ core/StandardCo ntext.java, org/apache/ catalina/ core/StandardWr apper.java, org/apache/ catalina/ startup/ ContextConfig. java, org/apache/ catalina/ startup/ Tomcat. java, org/apache/ catalina/ startup/ WebAnnotationSe t.java. patches/ CVE-2018- 8014.patch: change defaults in org/apache/ catalina/ filters/ CorsFilter. java, org/apache/ catalina/ filters/ LocalStrings. properties, org/apache/ catalina/ filters/ TestCorsFilter. java, org/apache/ catalina/ filters/ TesterFilterCon figs.java.
- debian/
java/
java/
java/
java/
test/
test/
- CVE-2017-12617
* SECURITY UPDATE: incorrectly documented CGI search algorithm
- debian/
webapps/
- CVE-2017-15706
* SECURITY UPDATE: security constraints mapped to context root are ignored
- debian/
java/
- CVE-2018-1304
* SECURITY UPDATE: security constraint annotations applied too late
- debian/
java/
java/
java/
java/
java/
java/
java/
java/
java/
- CVE-2018-1305
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/
java/
java/
test/
test/
- CVE-2018-8014
-- Marc Deslauriers <email address hidden> Mon, 28 May 2018 09:03:55 -0400