1
PublicDateAtUSN: 2017-06-06
2
Candidate: CVE-2017-5664
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
6
https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E
7
http://apt.inguza.net/wheezy-security/tomcat/tomcat8-CVE-2017-5664.patch
8
https://usn.ubuntu.com/usn/usn-3519-1
10
The error page mechanism of the Java Servlet Specification requires that,
11
when an error occurs and an error page is configured for the error that
12
occurred, the original request and response are forwarded to the error
13
page. This means that the request is presented to the error page with the
14
original HTTP method. If the error page is a static file, expected
15
behaviour is to serve content of the file as if processing a GET request,
16
regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
17
9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to
18
7.0.77 did not do this. Depending on the original request this could lead
19
to unexpected and undesirable results for static error pages including, if
20
the DefaultServlet is configured to permit writes, the replacement or
21
removal of the custom error page. Notes for other user provided error
22
pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method.
23
JSPs used as error pages must must ensure that they handle any error
24
dispatch as a GET request, regardless of the actual method. (2) By default,
25
the response generated by a Servlet does depend on the HTTP method. Custom
26
Servlets used as error pages must ensure that they handle any error
27
dispatch as a GET request, regardless of the actual method.
31
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312
37
upstream: https://svn.apache.org/viewvc?view=revision&revision=1793471
38
upstream: https://svn.apache.org/viewvc?view=revision&revision=1793491
39
upstream_tomcat7: released (7.0.78)
40
precise/esm_tomcat7: DNE
41
trusty_tomcat7: released (7.0.52-1ubuntu0.13)
42
vivid/stable-phone-overlay_tomcat7: DNE
43
vivid/ubuntu-core_tomcat7: DNE
44
xenial_tomcat7: needed
45
yakkety_tomcat7: ignored (reached end-of-life)
46
zesty_tomcat7: ignored (reached end-of-life)
47
artful_tomcat7: not-affected (7.0.78-1)
48
bionic_tomcat7: not-affected (7.0.78-1)
49
devel_tomcat7: not-affected (7.0.78-1)
52
upstream_tomcat6: released (6.0.41-3)
53
precise/esm_tomcat6: needs-triage
54
trusty_tomcat6: needs-triage
55
vivid/stable-phone-overlay_tomcat6: DNE
56
vivid/ubuntu-core_tomcat6: DNE
57
xenial_tomcat6: not-affected (6.0.45+dfsg-1)
65
upstream: https://svn.apache.org/viewvc?view=revision&revision=1793470
66
upstream: https://svn.apache.org/viewvc?view=revision&revision=1793489
67
upstream_tomcat8: released (8.5.15)
68
precise/esm_tomcat8: DNE
70
vivid/stable-phone-overlay_tomcat8: DNE
71
vivid/ubuntu-core_tomcat8: DNE
72
xenial_tomcat8: released (8.0.32-1ubuntu1.5)
73
yakkety_tomcat8: ignored (reached end-of-life)
74
zesty_tomcat8: released (8.0.38-2ubuntu2.2)
75
artful_tomcat8: not-affected (8.5.21-1)
76
bionic_tomcat8: not-affected (8.5.21-1)
77
devel_tomcat8: not-affected (8.5.21-1)