Debian Security Advisory

DSA-4673-1 tomcat8 -- security update

Date Reported:
03 May 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2019-17569, CVE-2020-1935, CVE-2020-1938.
More information:

Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling and code execution in the AJP connector (disabled by default in Debian).

For the oldstable distribution (stretch), these problems have been fixed in version 8.5.54-0+deb9u1.

We recommend that you upgrade your tomcat8 packages.

For the detailed security status of tomcat8 please refer to its security tracker page at: