Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4472 tomcat8 security update 18 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat8 Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-17527 Reference: ESB-2020.4294 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/12/msg00022.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2495-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 16, 2020 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : tomcat8 Version : 8.5.54-0+deb9u5 CVE ID : CVE-2020-17527 It was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. For Debian 9 stretch, this problem has been fixed in version 8.5.54-0+deb9u5. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl/aQ1AACgkQgj6WdgbD S5ZefBAA21NoL5w3uhkWrP4Wmz2YOGHmJcMQz4XSn31W3Jum3KRyzdlIj1Po11Bl 388HdnT1ZQ4wKvn5vSGEOLWcb+QfeoABD7hUYR6fWUaUz5Pxqf36LJKlJkJvY61i tgp7B6RIju2GT6T+wtNRXXUtrMk0VZaafRYezPUUJeFxvHm2lgH1glpG8PaAHEv3 Q0LLwcu0OFoKQcResi8j8sZuBNX+MUqeSyZhXwlMFkieKZw4cZ8bGcoI6U8iZmZX lEERSwXcsJuqUQrHoVT6jK3zSLDTVniII/cdyfIyIXjHtM9TbS9hPU5/i2fx/G48 NlkUkUKoRiaWrRChpLggJu12Ps3SHE8tT3Y+/rIfXhHrkwveaJzt7ez/d4nRZQ4H K6HI+Ic936Zj6m4OkNyPJn8KwWKi7zAJHZ8Ksjj9hYDrppAvytg+6JO+iq3/SNGF +iCGSJa2wxv3N1arTrOlQNrUvLA689hiZY2R/F+ELZGwBSe11BqykmgLsMVOBi6U w/LVlv7pzUlmMAY0dKHJPWjFQx1pMKLsgaf5PioonyDwmaDT8D7zCldIsbC7ORB2 P7zwV6AKAKFq5cNnEB4K/qjmEhPqdVw8OdRCI8E66l33rMn0+Z3xCyfGN7hx7oVN FH+REwSs8NTXUhe1k8kMFPycMplO8iJBGezbVFJawhW7LUWAawI= =GWPF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX9v8dONLKJtyKPYoAQgJVA/9GrKyvQ6r4gmgxppS3kBVOmKWkntMAGPm xJB96U1dbvcBD57iUnmgrli+Hb9CAG1yyi3tGePlZWQTLwImZ7kQw29hHxrnpgTu Q3vbu2Y6tc/uVk5peCShFq83WHNMH8y41GugZQmZuDG4OcQ53cmJuFalByAgwu6A AZ35rjUmOy//iZQZzEwgTPVmshpeW/JDqQxQ1hEax34rvcTCxChFp0jCJBiqFwm0 AXm1NJQF9aEddqJxwtbeI7I/iXrBhQtzWh8s+sxlTpSNx1kpiGOpSds3PMhuXPIr MQdMdPMkjuHq+L5DQGmcR/I2BESU2eLjXHTdmjGbNAm5MSyFDcRMDZrO/1zDf9xf tbrD/BchhnnwVSLzlAvp8bWTVanJG7NGqqR3xzWZ9g47yegTW83zkNqUCrvrUkm+ I1QXlZ5bk05xonKNRumNYLIJAnGJLWrMZfbDXtRcabO9xXZSK4h/UQMLvdlDB2ws ma1BbXB36i9qwySgzcC/gWSUcFxr+TEEK0E8b9F963LHKYwIpShWdYJ3k2AHrLvJ rROSaS5j9j0n3Go85sIJpsC5X62rQPcgz4qHjeYl5QW+TNM6D/hgdDCn8/7Dfosa 8YeJPRYwFPJX0Ox+lhJT2xcTWvymVWhGDOsg23wppe94rMuU9iKSS9WR/WuEe8z6 qgnpAYZNH/s= =ZrvO -----END PGP SIGNATURE-----