Debian Bug report logs -
#707704
tomcat7: CVE-2013-2071
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 10 May 2013 13:27:01 UTC
Severity: important
Tags: security
Fixed in versions tomcat7/7.0.40-1, tomcat7/7.0.28-4+deb7u1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#707704; Package tomcat7.
(Fri, 10 May 2013 13:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 10 May 2013 13:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tomcat7
Severity: important
Tags: security
Three security issues were reported in tomcat today:
http://tomcat.apache.org/security-7.html
CVE-2013-2067 and CVE-2012-3544 were made public today, but already fixed in past
releases. Hence, in comparison to stable/oldstable sid is already fixed.
Note that CVE-2013-2067 and CVE-2012-3544 also affect tomcat6. tomcat6 should
be removed now that wheezy is released.
Cheers,
Moritz
Marked as fixed in versions tomcat7/7.0.40-1.
Request was from tony mancill <tmancill@debian.org>
to control@bugs.debian.org.
(Mon, 13 May 2013 05:03:04 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Sun, 13 Apr 2014 17:24:23 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sun, 13 Apr 2014 17:24:23 GMT) (full text, mbox, link).
Message #12 received at 707704-close@bugs.debian.org (full text, mbox, reply):
Source: tomcat7
Source-Version: 7.0.28-4+deb7u1
We believe that the bug you reported is fixed in the latest version of
tomcat7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 707704@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated tomcat7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 Mar 2014 11:29:54 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.28-4+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
libtomcat7-java - Servlet and JSP engine -- core libraries
tomcat7 - Servlet and JSP engine
tomcat7-admin - Servlet and JSP engine -- admin web applications
tomcat7-common - Servlet and JSP engine -- common files
tomcat7-docs - Servlet and JSP engine -- documentation
tomcat7-examples - Servlet and JSP engine -- example web applications
tomcat7-user - Servlet and JSP engine -- tools to create user instances
Closes: 707704
Changes:
tomcat7 (7.0.28-4+deb7u1) wheezy-security; urgency=high
.
* Team upload.
* Fix CVE-2014-0050: Multipart requests with a malformed Content-Type header
can trigger an infinite loop causing a denial of service.
* Fix CVE-2013-2067: FORM authentication associates the most recent request
requiring authentication with the current session. By repeatedly sending
a request for an authenticated resource while the victim is completing
the login form, an attacker could inject a request that would be executed
using the victim's credentials. (Closes: #707704)
* Fix CVE-2013-2071: A runtime exception in AsyncListener.onComplete()
prevents the request from being recycled. This may expose elements of a
previous request to a current request.
* Fix CVE-2012-3544 and CVE-2013-4322: When processing a request submitted
using the chunked transfer encoding, Tomcat ignored but did not limit any
extensions that were included. This allows a client to perform a limited
denial of service.
by streaming an unlimited amount of data to the server.
* Fix CVE-2013-4286: Reject requests with multiple content-length headers
or with a content-length header when chunked encoding is being used.
* Replaced the expired certificates used by the tests
(backported from Tomcat 7.0.39)
Checksums-Sha1:
a49b46a7a267c41bf48802a196213c8cb0248beb 2625 tomcat7_7.0.28-4+deb7u1.dsc
1460bb04578684e4b7ec44a6fb68b1a65421783f 3924077 tomcat7_7.0.28.orig.tar.gz
3123b99072e57afb91828365c86f8d623a85c012 81087 tomcat7_7.0.28-4+deb7u1.debian.tar.gz
6eb2097316ec78364c84dc4fd6589e3471fb4b8c 60574 tomcat7-common_7.0.28-4+deb7u1_all.deb
b39f53fb47d1d871c3d28b70e84262b4a25126b8 49530 tomcat7_7.0.28-4+deb7u1_all.deb
2f26f69da4a93abb0d3351298b1ae60435736a73 37104 tomcat7-user_7.0.28-4+deb7u1_all.deb
4d27ad7a3ef0100999fea8e2347d1aa884dbbc80 3508060 libtomcat7-java_7.0.28-4+deb7u1_all.deb
53a62dede0f2f666c7c77b39814c2528e5bb8ee1 304154 libservlet3.0-java_7.0.28-4+deb7u1_all.deb
9f23ce9f4991c42d01fc7ecd0eb03696ac684df2 301854 libservlet3.0-java-doc_7.0.28-4+deb7u1_all.deb
131876f33e873363e69a805a1bbeb2db167f8fda 51266 tomcat7-admin_7.0.28-4+deb7u1_all.deb
80eddc556e2469aa9b602a383c61ef270ec0bac3 202374 tomcat7-examples_7.0.28-4+deb7u1_all.deb
92a1334d7ddaa8ece456a79deb1e53cd64689d79 651222 tomcat7-docs_7.0.28-4+deb7u1_all.deb
Checksums-Sha256:
34347e5969b0ffa48ba8912b6850ded9d888ef6eec6ecbee0e19202c12411e0b 2625 tomcat7_7.0.28-4+deb7u1.dsc
11ed46d3dbe1dd67c404788feac3d37aa06ed7e7262fa6010c1611898af80fce 3924077 tomcat7_7.0.28.orig.tar.gz
511b7ceb3601da671636033cead11785089e1765f24c124cc9109c3b777aae2b 81087 tomcat7_7.0.28-4+deb7u1.debian.tar.gz
28f2f54c7081b0b08ad271035f92c4c283538ab5a8c3835d98820969e1a28177 60574 tomcat7-common_7.0.28-4+deb7u1_all.deb
f804f73201d0d2bab77e2593489c06c4584ecce689ddb82d77db7222be0a2100 49530 tomcat7_7.0.28-4+deb7u1_all.deb
ee56dfa7361295db4f4cb3f1fa86a895a655a463d3a7f89627bd1f7fc0011c35 37104 tomcat7-user_7.0.28-4+deb7u1_all.deb
e5d49e7fbead85a78cdb7d360f9f98509ae384aca8effd2a64e9bc37f750d9a7 3508060 libtomcat7-java_7.0.28-4+deb7u1_all.deb
219c3fdb354cd2e546761a0849e91193b2041b526245134500d0ba739646929f 304154 libservlet3.0-java_7.0.28-4+deb7u1_all.deb
735f82476e7876e98843335031c738266563f2ee1245d17e69b0d22e8e57a2ac 301854 libservlet3.0-java-doc_7.0.28-4+deb7u1_all.deb
b43e097ee34c103b7d138585fd11220f5a7043488fa0d5ba1727d7a5a0d57a2b 51266 tomcat7-admin_7.0.28-4+deb7u1_all.deb
55380166313a39bdeac63538967161ac82ebee6dca1fe8b2fd7888ad4e66b672 202374 tomcat7-examples_7.0.28-4+deb7u1_all.deb
857d7b4c4ac1aab796ec5802678eb70c9513edf299affdadf7a384d2c46f2ff7 651222 tomcat7-docs_7.0.28-4+deb7u1_all.deb
Files:
d0abbfb78436db161973794b29ff947f 2625 java optional tomcat7_7.0.28-4+deb7u1.dsc
c33dcbc69a1877d41b4ca4ae7a7c621b 3924077 java optional tomcat7_7.0.28.orig.tar.gz
4c4ef3dbd21a077246b07eb8bd109772 81087 java optional tomcat7_7.0.28-4+deb7u1.debian.tar.gz
50005b4326a067238994809c52af7df6 60574 java optional tomcat7-common_7.0.28-4+deb7u1_all.deb
ee6430c9e81d287f0417b965ea7bb533 49530 java optional tomcat7_7.0.28-4+deb7u1_all.deb
f1edd85b0efca839ab99c4c7ce714f91 37104 java optional tomcat7-user_7.0.28-4+deb7u1_all.deb
62600e50aab0c1fdcb47eaa657ecfc07 3508060 java optional libtomcat7-java_7.0.28-4+deb7u1_all.deb
39592d84790610caa5ab14d5be6564be 304154 java optional libservlet3.0-java_7.0.28-4+deb7u1_all.deb
7fdc9063009e892a361642ca025f9856 301854 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u1_all.deb
1d80380c713b1bb1ae0b2253cf55d307 51266 java optional tomcat7-admin_7.0.28-4+deb7u1_all.deb
8c0a1d42bd73c55f947513c36b67e9bc 202374 java optional tomcat7-examples_7.0.28-4+deb7u1_all.deb
1cad8586894cc0429a325f9af887e483 651222 doc optional tomcat7-docs_7.0.28-4+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTQ8rrAAoJEBDCk7bDfE42w9wP/Azp4MnH8PzeBaM/F62HfToX
gbDMNJyhnMZi8C97t0uJ8u9dpCGJMHOze0O5uC3F+k5vW0VS9GmcOoKe6bGVam92
wxPn2qL7c1n6HnZDLgjJAZf2O9FbrnOkQxqrcP04j6lLjyfcIYZygTpasCNDXUpI
nUiCl9EexY/qxo9t/yJA58MRZQqRShU4A3/8YTSYmbBf/PNC3vm0IHqWUZXo35eh
TbgkDnnd/LI2jtQteMtCa//RNTV1dEEOpC1ItXH2xqgLfdg6KRRDIxyb5fSfQkpM
h/Ek+G6VG6bRXJYL6M8fT1FiZ6sCGumh4Oh6tBqcZTk0ROxnw1o5qOjYdU6bBQe3
P6LSaQQ6qrEJWByipAzSeVMJx4nMkU5BRmayJwsEevC3oDRABg5Ke6bcFVVKr339
aLR7DuEf+dAsxze6J/yVokVLBF9pvhnEE3L0Srf7RMkI8vRO77IjNtLJ8TsFtVZB
CBDp8P7wGQhAaH77mT/ff6WLCgAyw7wvYjjQ39Gk4KFBl/oqK6gDFlW97+iAJw46
wuKrYsdlk06kHQ8Vyczh0rof/ha7NI+X+kPHNr/bsrq9w/Xg8XMLEeTDTuysHPLi
ijtwVIbN8nqOkG0ZP5N1LBNAU++LcsQZQ5ytTyPqGyS+rmF+sF+BDQlUSkyXYz8j
+kqM3wNOegvziMPjjdWR
=QiCt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 12 May 2014 07:25:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:53:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon