Debian: DLA-2209-1 Moderate: Tomcat8 Security Update and Threats
debian lts
May 28, 2020
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine
Summary
WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a
working AJP configuration. The option secretRequired defaults to true
now. You should define a secret in your server.xml or you can revert
back by setting secretRequired to false.
CVE-2019-17563
When using FORM authentication with Apache Tomcat there was a narrow
window where an attacker could perform a session fixation attack.
The window was considered too narrow for an exploit to be practical
but, erring on the side of caution, this issue has been treated as a
security vulnerability.
CVE-2020-1935
In Apache Tomcat the HTTP header parsing code used an approach to
end-of-line parsing that allowed some invalid HTTP headers to be
parsed as valid. This led to a possibility of HTTP Request Smuggling
if Tomcat was located behind a reverse proxy that incorrectly
handled the invalid Transfer-Encoding header in a particular manner.
Such a reverse proxy is considered unlikely.
CVE-2020-1938
PREVIOUS 
NEXT Package: tomcat8
Version: 8.0.14-1+deb8u17
CVE ID: CVE-2019-17563 CVE-2020-1935 CVE-2020-1938
Debian Bug: 961209 952436 952437 952438
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!