CVE-2017-12616

NameCVE-2017-12616
DescriptionWhen using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1108-1, DLA-1400-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)jessie, jessie (lts)7.0.56-3+really7.0.109-1+deb8u6fixed
stretch7.0.75-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat7sourcewheezy7.0.28-4+deb7u15DLA-1108-1
tomcat7sourcejessie7.0.56-3+really7.0.88-1DLA-1400-1
tomcat7source(unstable)7.0.72-3

Notes

Since 7.0.72-3, src:tomcat7 only builds the Servlet API
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://svn.apache.org/r1804729
Search for package or bug name: Reporting problems