Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1943 [DLA 1810-1] tomcat7 security update 31 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat7 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-0221 Reference: https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tomcat7 Version : 7.0.56-3+really7.0.94-1 CVE ID : CVE-2019-0221 Nightwatch Cybersecurity Research team identified a XSS vulnerability in tomcat7. The SSI printenv command echoes user provided data without escaping. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. For Debian 8 "Jessie", this problem has been fixed in version 7.0.56-3+really7.0.94-1. We recommend that you upgrade your tomcat7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlzvk0wACgkQhj1N8u2c KO8sAg//ZhhSxTdF4kOcnfh7riy9vuQuxzsNNrjavyMFpghC24tPJhNJPq7fvrfH 1h0K0myfv+KkgUsueeAI52egdrTnJv1v53KBIJ1iRtBRWJfSqqRP1eay7HCr/67Z YXPnNVQHuZxMm03UZ17b5wOp9Vjk1rYSdwyjRTuclv6RYQvj/KjQvPicOcx/xb11 FjdzUh4GlMguOwRBtMGSN4p/QNo1iqMGqWYFKfEz7emnUxURLf0PWEoGEXFP6U8c k3N8ZtVNkkHkxLl3QKsRY/peVwW+0y8BRkkVCvgNVhIrj5u4mPI+9xy02ej6wp24 jCi98b34Z78jlt/anuvW5bNnTMnKi8YSySaiIXL3qaTUaEkaBBJmDTfAWF6J8e/M dgrsir3vnx2hjWD4opJMUpTcpszzcD6MexNenQYaP22DtjK0HIgT8at8XXJVe2/F fBsEI1iWIEpqr2FcgGGIXRpCXL0UUSwkdyRqU2CMby7dJiooIX+APzERO/GRvRNh 9NK4XIWuC/TbjV63evDE6W7NFqbxw4fN5sQSJMSQYGFcnef9BZdQEGhjSPz7WxHl gLBrTJXmkq9djgdllEb1c9YCC6fUSsQ/6syPS1pN1Pfhg+EORPDxKNCtjXryoF9C o9ag1PViKFP/bDY9qooKUzVafDqvby8NsICtknx9cmlE95Vu4PQ= =jiJy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXPBUTmaOgq3Tt24GAQg2bQ/+It4zTBVrwh8b00kEqMk2lBHpYPVGAuyJ KDrG0kijjnnGkhoEVDTsvzQ2w7iZKAx/8IpvTkNNK8IkXqtIgJR+V5Onkc2urJ5M LWv2Ube+LUnB6cAs1zKwNGhZlazt9pJ0PPGoaEgQ5BC/+b8aoaUngXpEp8VCXXPW fMiKfQjwTXBcD7zWajaALJyD+7MfecsUWiSdfIHeEWs29sgHWK8TaO47TNIHeqqT uosC3buVt95lYr49XR5q/TnHMAIQckuM3St5f3n4VqjntsdhP4Wy92TujOf2+zYK SuEvtfl5dbPSF6QehgCLF15kmJWuOcdhoBKVSeCIDjJeIppnyVSuTpMx5My3aHDh ssywIUWsbEX28Qgbc+mG09MkHmOFj5lYZFaJEuacHcceqUwoAN3nJLBiQxkH+HP8 tIiuap2C9PBXv1IS5usLGFrHtjabkNidjE79u2HFfueRkW6cKwrhsLaFgn1d3rQN 0CiMpq5wnbEwlx1ruk1CDuG/b8ZDseLAXPkZ1OcyG8KXBLzIdTG2qbSa2DW4zk4j pRI9pyUBoT6wVuSonCnyWnOpd4Fj9wyMqKamcTNapIJsbbpbgUUwkbc+teiMOXcd uXc1vQwAClJrQD3SEu0Ya8zxeSQlo3+4w7bbRkqDGDzEHKbHMqbTsfKkGz2Zgxll 5nj3eh7teng= =6gwd -----END PGP SIGNATURE-----