Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-23 wireshark security update

Debian GNU/Linux 8 LTS:
DLA 1450-1: tomcat8 security update
DLA 1451-1: wireshark security update



ELA-23 wireshark security update

Package: wireshark
Version: 1.12.1+g01b65bf-4+deb8u6~deb7u12
Related CVE: CVE-2018-14339 CVE-2018-14340 CVE-2018-14341 CVE-2018-14342 CVE-2018-14343 CVE-2018-14368 CVE-2018-14369
Due to several flaws different dissectors could go in infinite loop or could be crashed by malicious packets.

For Debian 7 Wheezy, these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u6~deb7u12.

We recommend that you upgrade your wireshark packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
Read full article @ Debian Freexian

DLA 1450-1: tomcat8 security update

Package : tomcat8
Version : 8.0.14-1+deb8u12
CVE ID : CVE-2018-1304 CVE-2018-1305
Debian Bug : 802312


Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2018-1304
The URL pattern of "" (the empty string) which exactly maps to the
context root was not correctly handled in Apache Tomcat when used as
part of a security constraint definition. This caused the constraint
to be ignored. It was, therefore, possible for unauthorized users to
gain access to web application resources that should have been
protected. Only security constraints with a URL pattern of the empty
string were affected.

CVE-2018-1305
Security constraints defined by annotations of Servlets in Apache
Tomcat were only applied once a Servlet had been loaded. Because
security constraints defined in this way apply to the URL pattern
and any URLs below that point, it was possible - depending on the
order Servlets were loaded - for some security constraints not to be
applied. This could have exposed resources to users who were not
authorized to access them.


For Debian 8 "Jessie", these problems have been fixed in version
8.0.14-1+deb8u12.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1451-1: wireshark security update




Package : wireshark
Version : 1.12.1+g01b65bf-4+deb8u15
CVE ID : CVE-2018-14339 CVE-2018-14340 CVE-2018-14341
CVE-2018-14342 CVE-2018-14343 CVE-2018-14368
CVE-2018-14369


CVE-2018-14339
CVE-2018-14340
CVE-2018-14341
CVE-2018-14342
CVE-2018-14343
CVE-2018-14368
CVE-2018-14369
Due to several flaws different dissectors could go in infinite
loop or could be crashed by malicious packets.


For Debian 8 "Jessie", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u15.

We recommend that you upgrade your wireshark packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS