Your message dated Mon, 13 Jul 2020 12:51:13 +0200
with message-id <[email protected]>
and subject line Re: tomcat8: vulnerable for "ghostcat", CVE-2020-1938 /
CNVD-2020-10487
has caused the Debian Bug report #952438,
regarding tomcat8: CVE-2020-1938 AJP Request Injection and potential RCE
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
952438: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952438
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tomcat8
Version: 8.5.50-0+deb9u1
Severity: important
Hi,
tomcat8, as shipped with Debian stretch/oldstable is vulnerable for "ghostcat",
see https://www.chaitin.cn/en/ghostcat . PoC exploit code has been published.
Specifically, Apache Tomcat 8.x < 8.5.51 is vulnerable. Upstream has published
8.5.51 to fix this vulnerability (and other issues, see
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html).
Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .
See also:
https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)
Bye,
Joost
--- End Message ---
--- Begin Message ---
Control: fixed -1 8.5.54-0+deb9u1
Closing as fixed in version 8.5.54-0+deb9u1.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
