Package: tomcat7 Version: 7.0.56-3+really7.0.99-1 Severity: important
Hi, tomcat7, as shipped with Debian jessie/oldoldstable (and 8 and 9) are vulnerable for "ghostcat", see https://www.chaitin.cn/en/ghostcat . PoC exploit code has been published. Specifically, Apache Tomcat 9.x < 9.0.31 Apache Tomcat 8.x < 8.5.51 Apache Tomcat 7.x < 7.0.100 are vulnerable. Upstream has published 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability (and other issues). Tomcat as shipped by Debian is likely not vulnerable from the network in the default configuration, since by default Tomcat AJP Connector only listens on localhost:8009, not on *:8009 . See also: https://security-tracker.debian.org/tracker/CVE-2020-1938 https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487 https://www.cnvd.org.cn/webinfo/show/5415 (in chinese) Bye, Joost