Operating System:

[Debian]

Published:

02 January 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0014
                          tomcat8 security update
                              2 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat8
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Existing Account            
                   Unauthorised Access            -- Remote with User Interaction
                   Cross-site Scripting           -- Remote with User Interaction
                   Denial of Service              -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-17563 CVE-2019-12418 CVE-2019-0221
                   CVE-2019-0199 CVE-2018-11784 CVE-2018-8014

Reference:         ESB-2019.4714
                   ESB-2019.4405
                   ESB-2019.3456
                   ESB-2019.3098
                   ESB-2018.3704

Original Bulletin: 
   https://www.debian.org/security/2019/dsa-4596

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4596-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 27, 2019                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tomcat8
CVE ID         : CVE-2018-8014 CVE-2018-11784 CVE-2019-0199 CVE-2019-0221 
                 CVE-2019-12418 CVE-2019-17563

Several issues were discovered in the Tomcat servlet and JSP engine, which
could result in session fixation attacks, information disclosure, cross-
site scripting, denial of service via resource exhaustion and insecure
redirects.

For the oldstable distribution (stretch), these problems have been fixed
in version 8.5.50-0+deb9u1. This update also requires an updated version
of tomcat-native which has been updated to 1.2.21-1~deb9u1.

We recommend that you upgrade your tomcat8 packages.

For the detailed security status of tomcat8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat8

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgDcACgkQEMKTtsN8
TjaVxA//dmUGPdFZSI6VW/avTJ8YKIgVaKTLJz47hl9GKWJoGI4lG5TE4INs193y
xKf2gtuPb/YCdqZj2VphPTiPiIbycXrRXTq9uGnioteeAZfgKnqSokcQ+EvUItsp
Q7nBeuFNdSHaK1TAQ74Ty4qcwM/WXQ5c0UfZvAbMzYp3PRrkHkMXhUHMj7MJNz7W
6I/ehY+h+VkvTj7P6U3icEoLsTqOwKiHFiAVKD9DiUZqRI62nmbMW2il1zgF3pOZ
QNrDGhNsaVfhJbIES3/vuF/qSQIm6GryQ1dwxbFBszemdHTGEQmANsxLLXWnPDH1
2KigZh5bkSlQZvJRHgbJp+LdM+DSY7VI1KtwTIkpwFZ2/kbz+kMGGT+TQplSORyL
IY9SK1aQduWBx2yi3X7/wPXVdV7KA1cMCPhSt8fVieYxZWtONALBuCdnSSEweIEq
myd2GD75QIHjZy7JZoVc421kCjH4IrXxuwEQDkHjKTladjdklOREEocAc8R+NjSS
kUKdS2cOel6M2yjH/ieOv3DVaUPplgl+0KJGXqAhdkCQUwTMsw1tmR/ObWkCHQov
k79Isubwc5kuQD/iBCuIQM8TgfNcyWXNAyHbpKR7kGkrn/ihN7dsCdvRjrMPrvRJ
x/PLd3rjlgS5D1cEf7PTZZjym4mwDPrKgamSt9V3f3RwFwV75vY=
=je4v
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXg1IqmaOgq3Tt24GAQiC4hAAxc85wHXva1fidaWSN/XiGpBmL41Nxznv
aIP4b9yy9yJ9q1iOeM/Ft7fzJD/j1epgXeLtDHhmhtM/xvm7lknlAXaQ/UYPUGT1
t5a2P5rMLgJyCeJDkC2efRgiTM+IL4gy+PLj+mbSE7pr/dEJGiJ9c3nxW2xXmMJY
5wsockcdzI7fS++4jiPdqqSE834USORi5+tk70qSItm2OEUPZT48Oleap4XyN9TL
1TwMoRDCGdCRLgNaIb7DMl+5SbdOAsvcX8tQ7NdqBjzgIUvANwzuiOR/NlOxl+jd
8h3freqFo+3vKcyN/lV7QKHEwNz/sVwVSyA9uBShVKiMXk3FrfRAoDFqyhUopyRO
LuyqWSZTvu77nR+V8d8GpZqaBPu4UTPkc6Hi70UFo3Sr7Ytb9yw8itugcWloRX5v
bsoySAJ9wGeYG2ye3OOgP+f1WEYDvAqjedpz2nKwjU5LOG2m7T/+kHBFn7DX1yZJ
eu8WVvCPFcVAs5cBJCFN1Uvb0h30t/oMCC9vWSe3ksvABqfcuD5sucx1lPT0jMUC
aNMU9RLvgzA8EEyLWmyfxf3ID9FYTQc2XJkKA1ggewIzyEKemCkK54LGLMtDUd7E
W39MoiEmDB72zlQNvqPpTkJHRFzABCz89am65sH3Ga8IkRzAWpn01avjVeqpi05o
v9Z2nTI/f2M=
=92Mr
-----END PGP SIGNATURE-----