-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4472
                          tomcat8 security update
                             18 December 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat8
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-17527  

Reference:         ESB-2020.4294

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/12/msg00022.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2495-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
December 16, 2020                           https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : tomcat8
Version        : 8.5.54-0+deb9u5
CVE ID         : CVE-2020-17527

It was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could
re-use an HTTP request header value from the previous stream
received on an HTTP/2 connection for the request associated with
the subsequent stream. While this would most likely lead to an
error and the closure of the HTTP/2 connection, it is possible
that information could leak between requests.

For Debian 9 stretch, this problem has been fixed in version
8.5.54-0+deb9u5.

We recommend that you upgrade your tomcat8 packages.

For the detailed security status of tomcat8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat8

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl/aQ1AACgkQgj6WdgbD
S5ZefBAA21NoL5w3uhkWrP4Wmz2YOGHmJcMQz4XSn31W3Jum3KRyzdlIj1Po11Bl
388HdnT1ZQ4wKvn5vSGEOLWcb+QfeoABD7hUYR6fWUaUz5Pxqf36LJKlJkJvY61i
tgp7B6RIju2GT6T+wtNRXXUtrMk0VZaafRYezPUUJeFxvHm2lgH1glpG8PaAHEv3
Q0LLwcu0OFoKQcResi8j8sZuBNX+MUqeSyZhXwlMFkieKZw4cZ8bGcoI6U8iZmZX
lEERSwXcsJuqUQrHoVT6jK3zSLDTVniII/cdyfIyIXjHtM9TbS9hPU5/i2fx/G48
NlkUkUKoRiaWrRChpLggJu12Ps3SHE8tT3Y+/rIfXhHrkwveaJzt7ez/d4nRZQ4H
K6HI+Ic936Zj6m4OkNyPJn8KwWKi7zAJHZ8Ksjj9hYDrppAvytg+6JO+iq3/SNGF
+iCGSJa2wxv3N1arTrOlQNrUvLA689hiZY2R/F+ELZGwBSe11BqykmgLsMVOBi6U
w/LVlv7pzUlmMAY0dKHJPWjFQx1pMKLsgaf5PioonyDwmaDT8D7zCldIsbC7ORB2
P7zwV6AKAKFq5cNnEB4K/qjmEhPqdVw8OdRCI8E66l33rMn0+Z3xCyfGN7hx7oVN
FH+REwSs8NTXUhe1k8kMFPycMplO8iJBGezbVFJawhW7LUWAawI=
=GWPF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX9v8dONLKJtyKPYoAQgJVA/9GrKyvQ6r4gmgxppS3kBVOmKWkntMAGPm
xJB96U1dbvcBD57iUnmgrli+Hb9CAG1yyi3tGePlZWQTLwImZ7kQw29hHxrnpgTu
Q3vbu2Y6tc/uVk5peCShFq83WHNMH8y41GugZQmZuDG4OcQ53cmJuFalByAgwu6A
AZ35rjUmOy//iZQZzEwgTPVmshpeW/JDqQxQ1hEax34rvcTCxChFp0jCJBiqFwm0
AXm1NJQF9aEddqJxwtbeI7I/iXrBhQtzWh8s+sxlTpSNx1kpiGOpSds3PMhuXPIr
MQdMdPMkjuHq+L5DQGmcR/I2BESU2eLjXHTdmjGbNAm5MSyFDcRMDZrO/1zDf9xf
tbrD/BchhnnwVSLzlAvp8bWTVanJG7NGqqR3xzWZ9g47yegTW83zkNqUCrvrUkm+
I1QXlZ5bk05xonKNRumNYLIJAnGJLWrMZfbDXtRcabO9xXZSK4h/UQMLvdlDB2ws
ma1BbXB36i9qwySgzcC/gWSUcFxr+TEEK0E8b9F963LHKYwIpShWdYJ3k2AHrLvJ
rROSaS5j9j0n3Go85sIJpsC5X62rQPcgz4qHjeYl5QW+TNM6D/hgdDCn8/7Dfosa
8YeJPRYwFPJX0Ox+lhJT2xcTWvymVWhGDOsg23wppe94rMuU9iKSS9WR/WuEe8z6
qgnpAYZNH/s=
=ZrvO
-----END PGP SIGNATURE-----