Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2525
tomcat8 security update
23 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tomcat8
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13935 CVE-2020-13934
Reference: ESB-2020.2409
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2286
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2286-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
July 22, 2020 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : tomcat8
Version : 8.5.54-0+deb9u3
CVE ID : CVE-2020-13934 CVE-2020-13935
Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.
CVE-2020-13934
An h2c direct connection to Apache Tomcat did not release the
HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient
number of such requests were made, an OutOfMemoryException could
occur leading to a denial of service.
CVE-2020-13935
The payload length in a WebSocket frame was not correctly validated
in Apache Tomcat. Invalid payload lengths could trigger an infinite
loop. Multiple requests with invalid payload lengths could lead to a
denial of service.
For Debian 9 stretch, these problems have been fixed in version
8.5.54-0+deb9u3.
We recommend that you upgrade your tomcat8 packages.
For the detailed security status of tomcat8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat8
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl8Ya8dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS99hAAz7dPKOu5XuhOOVM0F9duCY/B44DcQOdTKU/lO8ksoMxllFIm/vY8DowE
z83bCZjetwxHLG8IdaSFj7bEwbp9iIpgQ9UwgUlTlKziqtWoRuCz5pCL58xBcU0I
KDpKg8zWVtBXumqJG/X34Gs4MjAkIu3hWk7cMxMxduwHWplv7gsV2OgnsrLR4vhP
GyE4ms+kzmtByl7CSpo29pwVIcvyU/4ktNBVYXYXxtzCBrhM0QvG/Ax3uWwT9Dd2
35wF3yed+4ING7eMrtFC0WSkZ9lcWwoNBdI54RFSs7N6NgTQDtzp/Um6SXCNawDZ
yGDF8fb30u10sjTTv6AMwtgchKS/4d8Rc50jqtilVKh3DoYKlb23Dfs4EbEd2rx4
BRCG5gU5uFs1PHtNXwD5ItqUH5pHpUDxTY2kDIJf3r18w1+4tX64nzAhtZK/xjK3
lr9eSKh4N0Gbwq6Y6g1RyOUnrqbCj/TxSgwq9fCeBR1UfAnIoyEYtQk7XZPoOFNO
Th5MdW8e6ucWjdBHfBdjE8fGHmIDqtJez4W1lKtGxP8FCgfMPum6UmPsJsP+KTDJ
mHv6WkNsrZVjkdNDUTjreJyJiBq2EM6oOEZZH6tAr5oS29O2RdZBbDTlPm7OwAzX
oRnKbg8U8TZo073cizryrr1b+Z8yc6piEWJjwF+qY93DJltIc5Q=
=helL
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXxkgJeNLKJtyKPYoAQgaTg/8DLlarvv6StSZ15COSk2iUlIHeNaMHRKT
8mP4tacAUDRTYhVaF3g5ZPan/FeAHcXxKNyUIMsNVsZ/jUg909PTq6TexBfvhGQp
OtZN7LW1OfnIvoaMfijUy7H8xwXBqcmjs9Pqm0CFHHzFvLA+gmkYYDU7WZQbE2y5
Kp/RhlVyU7oSqV1kexkLi2i3ZQlDvkUpioevwaYwYSMTTCIx20smAsH1IwTKEHAd
ZEpv/KOdRSX/2TMCRV85f0vvAXmW/gaTF9d2AQV2dgLMsmKXb6+lZs01SsSEn9GP
zD0oDeezJ50kgTp81lvDDoQhvVw6osOePdcNfB/8W3dMMnJlJpoIUPjUx/eXtkXs
mvccMVyMPYgA1X8T/NHW3MOjPRWjWSfPCyt7WvUVWBhIoAVp0LTTFDNsmnjonDyS
AOeJxB7aKiwLSCUV+XtbYXj+NrOS6rJdrQjF3lnVQ+cUeDhXombpk0m45E+QdWbc
btBTypW6AWFxwENI0AaczRJ5JGRWxbtHhpfAkp3EAa3xAQjfB875R+j0vQdRIat/
4LuRhA/J4XNgkx1FhRv13A34Wr7nDoy4mpTC8buCLX/jeCdnDCzF385yLwsNzd8Q
FQ0oxH4ctGq8sxVRtZRCPD5tHuA6EoiEVHsdrOPJ27A2xVAjzB25tV0zaEHk8h17
fzlZwfDtsLk=
=Ghzg
-----END PGP SIGNATURE-----