-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.0408.2
                          tomcat7 security update
                             23 February 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat7 and tomcat8
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3787
   http://www.debian.org/security/2017/dsa-3788

Comment: This bulletin contains two (2) Debian security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running tomcat7 and tomcat8 check for an updated version of the 
         software for their operating system.

Revision History:  February 23 2017: Updated packages now available
                   February 14 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3787-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 22, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tomcat7

The update for tomcat7 issued as DSA-3787-1 caused that the server could
return HTTP 400 errors under certain circumstances. Updated packages are
now available to correct this issue. For reference, the original
advisory text follows.

It was discovered that a programming error in the processing of HTTPS
requests in the Apache Tomcat servlet and JSP engine may result in
denial of service via an infinite loop.

For the stable distribution (jessie), this problem has been fixed in
version 7.0.56-3+deb8u9.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlituMFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0T4ORAAnj6MlryuaiMsuFZiQOCxwfZOeUypx3ls8PKdumLY9YnKLZIz5IS98cLn
zvCCC5TqiGOOrAB7G4+jHMuX5rGhXSyCMHnR1EMtGsEaKP4AbjmbGn5E41SX3+hP
TRFVIHY6mTwZa+J2fQ3I8KSqatd120edRxDUYkqF1bk9PSfqPa9jd+Z4jZrT4/9I
WePo6YUppH9Oy+0rp9obIRYze3kr1VMUpH/qU9Flv9phgAx5rQK23gu9f8Bu7WSS
ID8pNVxio5g86Ko2egJdlblcfoGRXA5J/GLWv8tyy22P593SjDUDQQsAmznlDLV0
EixfS9dwBdrUK5LImtH9wa02C2gcZQVXsW2TKlf8TXmw1XN0ODYZWVKJ39egRoYc
pls3Cd0RPgWUsnMBFwerAa0BQs3hVKQwx6Dzh6eIQ3b7kuI3B9xefgKgDl/6d7O1
RP41aI/5CRzBrW3brCPdcPEesuZKrN/3HYDc6XRc6m1jduAz+SIQNbp7UyufK4JK
pK5y94qET5yeFyCj8uaMr6IlXlX3A2dwTwXmCANe9emvhuXYu4HZG/4m0VeMikIH
s6pB0b7gFpizk3KtAbqB2NNH7PhN2SJqNyuN+rqbwVHrm3tC+0yF69qQnxseRfcw
2/kWm2KuCls3GCMCx5Tcak45PDEO00dmNB5KW2MPGygom1h4xoo=
=UFFy
- -----END PGP SIGNATURE-----

Subject:	[SECURITY] [DSA 3788-2] tomcat8 regression update
From:	Salvatore Bonaccorso <carnil@debian.org>
Reply-To:	listadmin@securityfocus.com
Date:	Wed, 22 Feb 2017 16:14:53 +0000
To:	bugtraq@securityfocus.com


=====================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3788-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 22, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tomcat8

The update for tomcat8 issued as DSA-3788-1 caused that the server could
return HTTP 400 errors under certain circumstances. Updated packages are
now available to correct this issue. For reference, the original
advisory text follows.

It was discovered that a programming error in the processing of HTTPS
requests in the Apache Tomcat servlet and JSP engine may result in
denial of service via an infinite loop.

For the stable distribution (jessie), this problem has been fixed in
version 8.0.14-1+deb8u8.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlituMpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TR/Q/9GYULVLaN17mQJPJsXN0AVMwPY9uVPuipWIILxEorzRh4+ikHt7RXSxXJ
1rdrX8KsAcrkPRe4GwxRJT3T4h3COu4LluAnuauw1wp7D6ANPm3A+v+6YJxSPMQD
sMNj7olu+jVIols0lLmWoNWQgAxEJ4OFxrny4KNP1MDbrlf5UjYA1frIK0JcXdxt
t+fR5imTfbqHAhuESyLm7YmIzCsLlCroFWaeuauZTQqM6p4+LzCpGRYA3BoU6X4S
SnZ14o6S/E5JFEn9qVZQ5usS0VHFZRFRtq5txuzaKM6u1NyswPFwE5LrO26IyIa2
kCRg6pJ+cwe/jrlBSJ67UPRXZNljMB6hvZD14FqcFdb+QifVDlKrQHOKxKi7SYSV
Lksi5QuUa9bzHgYAok7PdcXoKqKbrJP1U8dj8bvDIVxBqxaX7H2aGjlu357ESVSs
DVab7ETfCtsLy1/P66hFMVjoWWZPswAwNUr0XK8J9zCd6ARUEARZ4XrlXuk0A8vN
5Z5ubeWPx0mmAqA4VO9YNELkboWAgZheI9JE9BfepBPRwggCarFn51COcQrMl8Z7
e9XTZblwbadiUj0NCZgWdklWU3BVgiUJpFY1exp1tgAid4jp6rWVcDq3/DVwaUKV
nepkUYnVxEtsLSHH+P90I8JdwM+GFxX1F+K5YaaCIQfJCNxhu4g=
=S0Vn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWK5aYIx+lLeg9Ub1AQixjQ//Vpr3XpfsHq2E0EsPqqIBOIzgz0TFxGcC
Pgm6UoNXDqhc+dl1/ruXyFdOMxJeQssniCCdRcUeBFLh3QwTLy77RUqHD/Obbd2w
3oxLyLM9qsYTaAdiVeKuTtl6+5QqvTmIF02BfSSX+PJxLwCKYrHz+M2S52ogG+f8
to+B1wwFXhiranlWBO6t03hTv1UIAUPolTJ5W08QxydFtyJRuxv9Q+EqYkwheIBP
qijr5t9EXSaMc4JHsvHcLpQnfFP8nggBZmTTEdM9JaK0yQfddAVq75e0WXtSMd3H
1DAjPmKp/8c3dcc9pqTbrYgYM8732VD6an5PZM5YAWuDEksTB+a3uFYC8oZmsKGz
YpigW7rFM46wNA27cOIgQIFCOLrr2ARzrDbaXdwYDjV6+C354LrBlK0z1CwMA10x
bYeZSOnAR+7Ke8bD46ZtcsQD4i8Bzp7ZgXO/dI8V9JrYL5KgXm4X8lPw9rJKQVaR
YqUIoma8jGOlkNqto5smQq2f//9Xx7sSxDmac1M69ILQ8aG/Qp/acCouuE22HEOz
M+2xQYCqbyziqmYnnILXVz6nXorpWX4fMVfN4eJWNHKXQHTrap/ue+uREI5MdkDX
XXeHhFLh31wvY7Fg4ZOFTvwXn0QhTqV0GUyrE39ny0W29IVQA+YxyuyZG48SR2K+
vulbHz2c8LI=
=4g6q
-----END PGP SIGNATURE-----