Package: tomcat8 Version: 8.5.50-0+deb9u1 Severity: important Hi,
tomcat8, as shipped with Debian stretch/oldstable is vulnerable for "ghostcat", see https://www.chaitin.cn/en/ghostcat . PoC exploit code has been published. Specifically, Apache Tomcat 8.x < 8.5.51 is vulnerable. Upstream has published 8.5.51 to fix this vulnerability (and other issues, see https://tomcat.apache.org/tomcat-8.5-doc/changelog.html). Tomcat as shipped by Debian is likely not vulnerable from the network in the default configuration, since by default Tomcat AJP Connector only listens on localhost:8009, not on *:8009 . See also: https://security-tracker.debian.org/tracker/CVE-2020-1938 https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487 https://www.cnvd.org.cn/webinfo/show/5415 (in chinese) Bye, Joost
