[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2021-08-02 Thread Lucas Kanashiro
** Changed in: tomcat8 (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1865904 Title: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes To man

[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2021-02-01 Thread Marc Deslauriers
It wasn't a security update that bumped 8.5.30 to 8.5.39, I believe it was an SRU for openjdk compatibility. The issue with bumping from .39 to .61, is the same issue will come up as described in the CVE tracker, namely: "One of the upstream fixes for this issue renames the requiredSecret paramet

[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2021-02-01 Thread Christian Ehrhardt 
@Security - checking past uploads and the package I've found that - since it is in universe there are no usual regular MREs. But there was a security upload for [1] and some former ones. I've read through [2] and seen that there are a few low [3][4] and one medium [5] case open. And as reported t

[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2021-02-01 Thread Christian Ehrhardt 
** Tags removed: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1865904 Title: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes To manage notifications about this

[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2021-02-01 Thread Christian Ehrhardt 
Independent to this issue, but in general I'm wondering if still we should consider a MRE bump to e.g. 8.5.54 for Bionic which is back on 8.5.39 still. Adding server-triage-discuss tag for that. ** Tags added: server-triage-discuss -- You received this bug notification because you are a member

[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2021-02-01 Thread Christian Ehrhardt 
Hi, per the the CVE triage this is low risk (as also explained by right Marc when the bug was opened). Also see https://ubuntu.com/security/cve-2020-1938 for details. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bug

[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2021-01-30 Thread Betz Stefan
OK, this security issue is now open for about one year. Is there any plan to fix this issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1865904 Title: Needs updated to Tomcat 8.5.51 for G

[Bug 1865904] Re: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

2020-03-11 Thread Marc Deslauriers
In Ubuntu packages, the AJP connector is disabled by default, so unless specifically enabled by an admin, deployments made using the package are not vulnerable to this issue. ** Information type changed from Private Security to Public Security ** Changed in: tomcat8 (Ubuntu) Status: New =