[Bug 1721749] Re: Security Fix - CVE-2017-12617

Fri, 08 Jan 2021 22:35:41 -0800 

tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-1261x.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java
      java/org/apache/naming/resources/FileDirContext.java,
      java/org/apache/naming/resources/JrePlatform.java,
      java/org/apache/naming/resources/LocalStrings.properties,
      java/org/apache/naming/resources/VirtualDirContext.java,
      test/org/apache/naming/resources/TestFileDirContext.java.
    - CVE-2017-12616
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Tue, 29 May 2018
10:22:42 -0400

** Also affects: tomcat7 (Ubuntu)
   Importance: Undecided
       Status: New

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1261

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12616

** Changed in: tomcat7 (Ubuntu Trusty)
       Status: New => Fix Released

** No longer affects: tomcat8 (Ubuntu Trusty)

** Changed in: tomcat7 (Ubuntu Artful)
       Status: New => Won't Fix

** No longer affects: tomcat7 (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721749

Title:
  Security Fix - CVE-2017-12617

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to