Advisory: CLSA-2022:1655757814
OS: Ubuntu 16.04 ELS
Public date: 2022-06-20 00:00:00
Project: tomcat7
Version: 7.0.68-1ubuntu0.4+tuxcare.els1
Errata link: https://errata.tuxcare.com/els_os/ubuntu16.04els/CLSA-2022-1655757814.html
* Fix build process: - debian/keystores/*.pem|*.jks: update expiring certs and keystores - debian/patches/0028-update-expiring-test-certs.patch: update expiring test certs - debian/patches/0029-fix-path-to-valid-keystore.patch: fix path to valid keystore - debian/patches/0030-use-tls12-in-tests.patch: use TLSv1.2 protocol instead of TLSv1 for several tests * SECURITY UPDATE: AJP Request Injection and potential Remote Code Execution - debian/patches/CVE-2020-1938-1.patch: rename requiredSecret to secret and add secretRequired - debian/patches/CVE-2020-1938-2.patch: refactor secret check - debian/patches/CVE-2020-1938-3.patch: add new AJP attribute allowedArbitraryRequestAttributes - debian/patches/CVE-2020-1938-4.patch: change the default bind address for AJP to the loopback address - CVE-2020-1938 * SECURITY UPDATE: Remote Code Execution via session persistence - debian/patches/CVE-2020-9484.patch: improve validation of storage location when using FileStore - CVE-2020-9484 * SECURITY UPDATE: Fix for CVE-2020-9484 was incomplete - debian/patches/CVE-2021-25329.patch: use consistent approach for sub-directory checking - CVE-2021-25329
Update command: apt-get update apt-get --only-upgrade install tomcat7*
libservlet3.0-java_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb libservlet3.0-java-doc_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb libtomcat7-java_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb tomcat7_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb tomcat7-admin_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb tomcat7-common_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb tomcat7-docs_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb tomcat7-examples_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb tomcat7-user_7.0.68-1ubuntu0.4+tuxcare.els1_all.deb