Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0014 tomcat8 security update 2 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat8 Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Existing Account Unauthorised Access -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-17563 CVE-2019-12418 CVE-2019-0221 CVE-2019-0199 CVE-2018-11784 CVE-2018-8014 Reference: ESB-2019.4714 ESB-2019.4405 ESB-2019.3456 ESB-2019.3098 ESB-2018.3704 Original Bulletin: https://www.debian.org/security/2019/dsa-4596 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4596-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : tomcat8 CVE ID : CVE-2018-8014 CVE-2018-11784 CVE-2019-0199 CVE-2019-0221 CVE-2019-12418 CVE-2019-17563 Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross- site scripting, denial of service via resource exhaustion and insecure redirects. For the oldstable distribution (stretch), these problems have been fixed in version 8.5.50-0+deb9u1. This update also requires an updated version of tomcat-native which has been updated to 1.2.21-1~deb9u1. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgDcACgkQEMKTtsN8 TjaVxA//dmUGPdFZSI6VW/avTJ8YKIgVaKTLJz47hl9GKWJoGI4lG5TE4INs193y xKf2gtuPb/YCdqZj2VphPTiPiIbycXrRXTq9uGnioteeAZfgKnqSokcQ+EvUItsp Q7nBeuFNdSHaK1TAQ74Ty4qcwM/WXQ5c0UfZvAbMzYp3PRrkHkMXhUHMj7MJNz7W 6I/ehY+h+VkvTj7P6U3icEoLsTqOwKiHFiAVKD9DiUZqRI62nmbMW2il1zgF3pOZ QNrDGhNsaVfhJbIES3/vuF/qSQIm6GryQ1dwxbFBszemdHTGEQmANsxLLXWnPDH1 2KigZh5bkSlQZvJRHgbJp+LdM+DSY7VI1KtwTIkpwFZ2/kbz+kMGGT+TQplSORyL IY9SK1aQduWBx2yi3X7/wPXVdV7KA1cMCPhSt8fVieYxZWtONALBuCdnSSEweIEq myd2GD75QIHjZy7JZoVc421kCjH4IrXxuwEQDkHjKTladjdklOREEocAc8R+NjSS kUKdS2cOel6M2yjH/ieOv3DVaUPplgl+0KJGXqAhdkCQUwTMsw1tmR/ObWkCHQov k79Isubwc5kuQD/iBCuIQM8TgfNcyWXNAyHbpKR7kGkrn/ihN7dsCdvRjrMPrvRJ x/PLd3rjlgS5D1cEf7PTZZjym4mwDPrKgamSt9V3f3RwFwV75vY= =je4v - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXg1IqmaOgq3Tt24GAQiC4hAAxc85wHXva1fidaWSN/XiGpBmL41Nxznv aIP4b9yy9yJ9q1iOeM/Ft7fzJD/j1epgXeLtDHhmhtM/xvm7lknlAXaQ/UYPUGT1 t5a2P5rMLgJyCeJDkC2efRgiTM+IL4gy+PLj+mbSE7pr/dEJGiJ9c3nxW2xXmMJY 5wsockcdzI7fS++4jiPdqqSE834USORi5+tk70qSItm2OEUPZT48Oleap4XyN9TL 1TwMoRDCGdCRLgNaIb7DMl+5SbdOAsvcX8tQ7NdqBjzgIUvANwzuiOR/NlOxl+jd 8h3freqFo+3vKcyN/lV7QKHEwNz/sVwVSyA9uBShVKiMXk3FrfRAoDFqyhUopyRO LuyqWSZTvu77nR+V8d8GpZqaBPu4UTPkc6Hi70UFo3Sr7Ytb9yw8itugcWloRX5v bsoySAJ9wGeYG2ye3OOgP+f1WEYDvAqjedpz2nKwjU5LOG2m7T/+kHBFn7DX1yZJ eu8WVvCPFcVAs5cBJCFN1Uvb0h30t/oMCC9vWSe3ksvABqfcuD5sucx1lPT0jMUC aNMU9RLvgzA8EEyLWmyfxf3ID9FYTQc2XJkKA1ggewIzyEKemCkK54LGLMtDUd7E W39MoiEmDB72zlQNvqPpTkJHRFzABCz89am65sH3Ga8IkRzAWpn01avjVeqpi05o v9Z2nTI/f2M= =92Mr -----END PGP SIGNATURE-----