Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8:
DSA 4117-1: gcc-4.9 security update

Debian GNU/Linux 8 and 9:
DSA 4118-1: tomcat-native security update



DSA 4117-1: gcc-4.9 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4117-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 17, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gcc-4.9
CVE ID : not applicable

This update doesn't fix a vulnerability in GCC itself, but instead
provides support for building retpoline-enabled Linux kernel updates.

For the oldstable distribution (jessie), this problem has been fixed
in version 4.9.2-10+deb8u1.

We recommend that you upgrade your gcc-4.9 packages.

For the detailed security status of gcc-4.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gcc-4.9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4118-1: tomcat-native security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4118-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 17, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat-native
CVE ID : CVE-2017-15698

Jonas Klempel reported that tomcat-native, a library giving Tomcat
access to the Apache Portable Runtime (APR) library's network connection
(socket) implementation and random-number generator, does not properly
handle fields longer than 127 bytes when parsing the AIA-Extension field
of a client certificate. If OCSP checks are used, this could result in
client certificates that should have been rejected to be accepted.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.1.32~repack-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.12-2+deb9u1.

We recommend that you upgrade your tomcat-native packages.

For the detailed security status of tomcat-native please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/tomcat-native

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/