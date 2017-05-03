-----BEGIN PGP SIGNED MESSAGE-----

Debian Security Advisory DSA-3843-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

May 03, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : tomcat8

CVE ID : CVE-2017-5647 CVE-2017-5648

Debian Bug : 860068 860069



Two vulnerabilities were discovered in tomcat8, a servlet and JSP

engine.



CVE-2017-5647



Pipelined requests were processed incorrectly, which could result in

some responses appearing to be sent for the wrong request.



CVE-2017-5648



Some application listeners calls were issued against the wrong

objects, allowing untrusted applications running under a

SecurityManager to bypass that protection mechanism and access or

modify information associated with other web applications.



For the stable distribution (jessie), these problems have been fixed in

version 8.0.14-1+deb8u9.



For the upcoming stable (stretch) and unstable (sid) distributions,

these problems have been fixed in version 8.5.11-2.



We recommend that you upgrade your tomcat8 packages.



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

