Control: severity -1 normal Hello,
Am 04.05.20 um 21:58 schrieb Gianluca Bonetti: > Package: tomcat8 > Version: 8.5.54-0+deb9u1 > Severity: grave > > Dear Maintainer, > > Last tomcat8 upgrade, fixing CVE-2020-1938, is breaking the > functionalities of Tomcat AJP connector > in standard setup. > The updated tomcat8 version implements 'secretRequired' parameter in > <Connector> tag for config file > /etc/tomcat8/server.xml (attached by reportbut) and the implicit default > for 'secretRequired' is true. > The default value is not explicitly marked in the standard server.xml, > nor documented there. [...] The security update requires a manual update to your Tomcat 8 configuration, and only in specific cases. Debian cannot fix that automatically. The Tomcat 8 documentation is relevant here: https://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html This is not a Debian bug and it works as intended.
signature.asc
Description: OpenPGP digital signature
