Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2525 tomcat8 security update 23 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat8 Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-13935 CVE-2020-13934 Reference: ESB-2020.2409 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2286 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2286-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 22, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : tomcat8 Version : 8.5.54-0+deb9u3 CVE ID : CVE-2020-13934 CVE-2020-13935 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2020-13934 An h2c direct connection to Apache Tomcat did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated in Apache Tomcat. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u3. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl8Ya8dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS99hAAz7dPKOu5XuhOOVM0F9duCY/B44DcQOdTKU/lO8ksoMxllFIm/vY8DowE z83bCZjetwxHLG8IdaSFj7bEwbp9iIpgQ9UwgUlTlKziqtWoRuCz5pCL58xBcU0I KDpKg8zWVtBXumqJG/X34Gs4MjAkIu3hWk7cMxMxduwHWplv7gsV2OgnsrLR4vhP GyE4ms+kzmtByl7CSpo29pwVIcvyU/4ktNBVYXYXxtzCBrhM0QvG/Ax3uWwT9Dd2 35wF3yed+4ING7eMrtFC0WSkZ9lcWwoNBdI54RFSs7N6NgTQDtzp/Um6SXCNawDZ yGDF8fb30u10sjTTv6AMwtgchKS/4d8Rc50jqtilVKh3DoYKlb23Dfs4EbEd2rx4 BRCG5gU5uFs1PHtNXwD5ItqUH5pHpUDxTY2kDIJf3r18w1+4tX64nzAhtZK/xjK3 lr9eSKh4N0Gbwq6Y6g1RyOUnrqbCj/TxSgwq9fCeBR1UfAnIoyEYtQk7XZPoOFNO Th5MdW8e6ucWjdBHfBdjE8fGHmIDqtJez4W1lKtGxP8FCgfMPum6UmPsJsP+KTDJ mHv6WkNsrZVjkdNDUTjreJyJiBq2EM6oOEZZH6tAr5oS29O2RdZBbDTlPm7OwAzX oRnKbg8U8TZo073cizryrr1b+Z8yc6piEWJjwF+qY93DJltIc5Q= =helL - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXxkgJeNLKJtyKPYoAQgaTg/8DLlarvv6StSZ15COSk2iUlIHeNaMHRKT 8mP4tacAUDRTYhVaF3g5ZPan/FeAHcXxKNyUIMsNVsZ/jUg909PTq6TexBfvhGQp OtZN7LW1OfnIvoaMfijUy7H8xwXBqcmjs9Pqm0CFHHzFvLA+gmkYYDU7WZQbE2y5 Kp/RhlVyU7oSqV1kexkLi2i3ZQlDvkUpioevwaYwYSMTTCIx20smAsH1IwTKEHAd ZEpv/KOdRSX/2TMCRV85f0vvAXmW/gaTF9d2AQV2dgLMsmKXb6+lZs01SsSEn9GP zD0oDeezJ50kgTp81lvDDoQhvVw6osOePdcNfB/8W3dMMnJlJpoIUPjUx/eXtkXs mvccMVyMPYgA1X8T/NHW3MOjPRWjWSfPCyt7WvUVWBhIoAVp0LTTFDNsmnjonDyS AOeJxB7aKiwLSCUV+XtbYXj+NrOS6rJdrQjF3lnVQ+cUeDhXombpk0m45E+QdWbc btBTypW6AWFxwENI0AaczRJ5JGRWxbtHhpfAkp3EAa3xAQjfB875R+j0vQdRIat/ 4LuRhA/J4XNgkx1FhRv13A34Wr7nDoy4mpTC8buCLX/jeCdnDCzF385yLwsNzd8Q FQ0oxH4ctGq8sxVRtZRCPD5tHuA6EoiEVHsdrOPJ27A2xVAjzB25tV0zaEHk8h17 fzlZwfDtsLk= =Ghzg -----END PGP SIGNATURE-----