diff options
authorChris Lamb <lamby@debian.org>2020-05-23 18:29:13 +0100
committerChris Lamb <lamby@debian.org>2020-05-23 17:30:30 +0000
commit7882b5b7ec70cb22d1377e56ab2123a55e821785 (patch)
parent08b1892f621f0b67d0eab31bd4d6a8ecf6005ae3 (diff)
Add DLA-2217-1.
2 files changed, 48 insertions, 0 deletions
diff --git a/english/lts/security/2020/dla-2217.data b/english/lts/security/2020/dla-2217.data
new file mode 100644
index 0000000..01c1b0c
--- /dev/null
+++ b/english/lts/security/2020/dla-2217.data
@@ -0,0 +1,9 @@
+<define-tag pagetitle>DLA-2217-1 tomcat7</define-tag>
+<define-tag report_date>2020-05-23</define-tag>
+<define-tag secrefs>CVE-2020-9484</define-tag>
+<define-tag packages>tomcat7</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+#use wml::debian::security
diff --git a/english/lts/security/2020/dla-2217.wml b/english/lts/security/2020/dla-2217.wml
new file mode 100644
index 0000000..eb2dabb
--- /dev/null
+++ b/english/lts/security/2020/dla-2217.wml
@@ -0,0 +1,39 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+<p>It was discovered that there was a potential remote code execution via
+deserialization in tomcat7, a server for HTTP and Java "servlets".</p>
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-9484">CVE-2020-9484</a>
+ <p>When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to
+ 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to
+ control the contents and name of a file on the server; and b) the server is
+ configured to use the PersistenceManager with a FileStore; and c) the
+ PersistenceManager is configured with
+ sessionAttributeValueClassNameFilter="null" (the default unless a
+ SecurityManager is used) or a sufficiently lax filter to allow the attacker
+ provided object to be deserialized; and d) the attacker knows the relative
+ file path from the storage location used by FileStore to the file the
+ attacker has control over; then, using a specifically crafted request, the
+ attacker will be able to trigger remote code execution via deserialization
+ of the file under their control. Note that all of conditions a) to d) must
+ be true for the attack to succeed.</p></li>
+<p>For Debian 8 <q>Jessie</q>, these problems have been fixed in version
+<p>We recommend that you upgrade your tomcat7 packages.</p>
+<p>Further information about Debian LTS security advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p>
+# do not modify the following line
+#include "$(ENGLISHDIR)/lts/security/2020/dla-2217.data"
+# $Id: $

© 2014-2020 Faster IT GmbH | imprint | privacy policy