| Name | CVE-2020-1938 |
| Description | When using the Apache JServ Protocol (AJP), care must be taken when tr ... |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2133-1, DLA-2209-1, DSA-4673-1, DSA-4680-1 |
| Debian Bugs | 952436, 952437, 952438 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| tomcat9 (PTS) | bullseye | 9.0.43-2~deb11u10 | fixed |
| bullseye (security) | 9.0.107-0+deb11u2 | fixed | |
| bookworm | 9.0.70-2 | fixed | |
| trixie | 9.0.95-1 | fixed | |
| forky, sid | 9.0.115-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat7 | source | jessie | 7.0.56-3+really7.0.100-1 | DLA-2133-1 | ||
| tomcat7 | source | (unstable) | (unfixed) | 952436 | ||
| tomcat8 | source | jessie | 8.0.14-1+deb8u17 | DLA-2209-1 | ||
| tomcat8 | source | stretch | 8.5.54-0+deb9u1 | DSA-4673-1 | ||
| tomcat8 | source | (unstable) | (unfixed) | 952438 | ||
| tomcat9 | source | buster | 9.0.31-1~deb10u1 | DSA-4680-1 | ||
| tomcat9 | source | (unstable) | 9.0.31-1 | 952437 |
[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
AJP disabled in Debian in default configuration since 2008
fixed in upstream versions 9.0.31, 8.5.51, 7.0.100
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://github.com/apache/tomcat/commit/0e8a50f0a5958744bea1fd6768c862e04d3b7e75 (9.0.31)
https://github.com/apache/tomcat/commit/9ac90532e9a7d239f90952edb229b07c80a9a3eb (9.0.31)
https://github.com/apache/tomcat/commit/64fa5b99442589ef0bf2a7fcd71ad2bc68b35fad (9.0.31)
https://github.com/apache/tomcat/commit/7a1406a3cd20fdd90656add6cd8f27ef8f24e957 (9.0.31)
https://github.com/apache/tomcat/commit/49ad3f954f69c6e838c8cd112ad79aa5fa8e7153 (9.0.31)
https://github.com/apache/tomcat/commit/69c56080fb3355507e1b55d014ec0ee6767a6150 (8.5.51)
https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75 (8.5.51)
https://github.com/apache/tomcat/commit/9be57601efb8a81e3832feb0dd60b1eb9d2b61d5 (8.5.51)
https://github.com/apache/tomcat/commit/64159aa1d7cdc2c118fcb5eac098e70129d54a19 (8.5.51)
https://github.com/apache/tomcat/commit/03c436126db6794db5277a3b3d871016fb9a3f23 (8.5.51)
https://github.com/apache/tomcat/commit/0d633e72ebc7b3c242d0081c23bba5e4dacd9b72 (7.0.100)
https://github.com/apache/tomcat/commit/40d5d93bd284033cf4a1f77f5492444f83d803e2 (7.0.100)
https://github.com/apache/tomcat/commit/b99fba5bd796d876ea536e83299603443842feba (7.0.100)
https://github.com/apache/tomcat/commit/f7180bafc74cb1250c9e9287b68a230f0e1f4645 (7.0.100)