Accepted tomcat7 7.0.28-4+deb7u7 (source all) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 01 Dec 2016 23:00:20 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.28-4+deb7u7
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
libtomcat7-java - Servlet and JSP engine -- core libraries
tomcat7 - Servlet and JSP engine
tomcat7-admin - Servlet and JSP engine -- admin web applications
tomcat7-common - Servlet and JSP engine -- common files
tomcat7-docs - Servlet and JSP engine -- documentation
tomcat7-examples - Servlet and JSP engine -- example web applications
tomcat7-user - Servlet and JSP engine -- tools to create user instances
Changes:
tomcat7 (7.0.28-4+deb7u7) wheezy-security; urgency=high
.
* Fixed CVE-2016-0762: The Realm implementations did not process the supplied
password if the supplied user name did not exist. This made a timing attack
possible to determine valid user names.
* Fixed CVE-2016-5018: A malicious web application was able to bypass
a configured SecurityManager via a Tomcat utility method that was
accessible to web applications.
* Fixed CVE-2016-6794: When a SecurityManager is configured, a web
application's ability to read system properties should be controlled by
the SecurityManager. Tomcat's system property replacement feature for
configuration files could be used by a malicious web application to bypass
the SecurityManager and read system properties that should not be visible.
* Fixed CVE-2016-6796: A malicious web application was able to bypass
a configured SecurityManager via manipulation of the configuration
parameters for the JSP Servlet.
* Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
access to global JNDI resources to those resources explicitly linked to the
web application. Therefore, it was possible for a web application to access
any global JNDI resource whether an explicit ResourceLink had been
configured or not.
* Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
invalid characters. This could be exploited, in conjunction with a proxy
that also permitted the invalid characters but with a different
interpretation, to inject data into the HTTP response. By manipulating the
HTTP response the attacker could poison a web-cache, perform an XSS attack
and/or obtain sensitive information from requests other then their own.
* Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
using this listener remained vulnerable to a similar remote code execution
vulnerability.
* CVE-2016-1240 follow-up:
- The previous init.d fix was vulnerable to a race condition that could
be exploited to make any existing file writable by the tomcat user.
Thanks to Paul Szabo for the report and the fix.
- The catalina.policy file generated on startup was affected by a similar
vulnerability that could be exploited to overwrite any file on the system.
Thanks to Paul Szabo for the report.
* Hardened the init.d script, thanks to Paul Szabo
* Fix possible privilege escalation via package purge by removing the chown
command in postrm maintainer script. See #845385 for more information.
Checksums-Sha1:
c9542a1e21136efa7aed96324c196f2f94b5f2fa 2795 tomcat7_7.0.28-4+deb7u7.dsc
035dc377b750cdcbc713f05dc90309260efca58d 183767 tomcat7_7.0.28-4+deb7u7.debian.tar.gz
88474cf434631ae2304edc9c6a0ee7a804a8b8a7 65774 tomcat7-common_7.0.28-4+deb7u7_all.deb
48f1c01c52d11421f4c7cbf8a362d3829a2477ec 53072 tomcat7_7.0.28-4+deb7u7_all.deb
7e5fb96febed4f0ff7c5545416bc747e1a53902c 41042 tomcat7-user_7.0.28-4+deb7u7_all.deb
96198d4c3f04a9e146aa8b61d41cdde9ee679dca 3503700 libtomcat7-java_7.0.28-4+deb7u7_all.deb
b498786194d86fae6b2628ac5f43860880b96173 307034 libservlet3.0-java_7.0.28-4+deb7u7_all.deb
b3f33bc0d223ef1ef3ec56e4ff270f0f96005ee6 320664 libservlet3.0-java-doc_7.0.28-4+deb7u7_all.deb
3f1b1245b26764d4c16e297caa275b1377b1108f 53702 tomcat7-admin_7.0.28-4+deb7u7_all.deb
20c8fa65dbce031b7761e83356139477454705bf 207316 tomcat7-examples_7.0.28-4+deb7u7_all.deb
d9cad246f2512544b56327a7b926ed0e28009f36 648778 tomcat7-docs_7.0.28-4+deb7u7_all.deb
Checksums-Sha256:
4cbd58ea8ea8ce757116f0d1e0f978dce0cd62e8d3c34e7e76ece033a72c83e0 2795 tomcat7_7.0.28-4+deb7u7.dsc
311e49bcba783c41947d671a57959afe26377ea634c524453f338c817557ce32 183767 tomcat7_7.0.28-4+deb7u7.debian.tar.gz
8eca70cc62d8be6008ef992db4d566855060f089435b9ca8e9771cc38e525310 65774 tomcat7-common_7.0.28-4+deb7u7_all.deb
dbf817254ca1f631276ba42289526358abfbf99aeeb94cf40ff0a55fdfb95f93 53072 tomcat7_7.0.28-4+deb7u7_all.deb
8fc1d24f2bf9a0519b57fdb07c33ef6a96262a3d1b184bb71118168bbb00e7cd 41042 tomcat7-user_7.0.28-4+deb7u7_all.deb
08027b91aeb0fa99ce34ab2ca1189ae63039ad2de043b7acf037bb0eb430ecaf 3503700 libtomcat7-java_7.0.28-4+deb7u7_all.deb
745452186c76277388bfb7f95537e78bdf55a46953151cf1a5e082fbcbaee02d 307034 libservlet3.0-java_7.0.28-4+deb7u7_all.deb
a70cbbb5775dcea9b2ad5647e66dbd810fe75f595ddbe92bd069fce52c68928d 320664 libservlet3.0-java-doc_7.0.28-4+deb7u7_all.deb
458d4f4483b4816ff2b62d64ecac481c0cd9bc05a164c093eda12cc41673ad0c 53702 tomcat7-admin_7.0.28-4+deb7u7_all.deb
9871b3cdf983645a9b6993a03999387dd64d7727dcab9d1c1699180e3804278e 207316 tomcat7-examples_7.0.28-4+deb7u7_all.deb
05529afb5fc6d7aa1dc912609b7193c08c0520869e58484d150e3b19dba2a44a 648778 tomcat7-docs_7.0.28-4+deb7u7_all.deb
Files:
d3f314fe981b4283df5e1d57447de568 2795 java optional tomcat7_7.0.28-4+deb7u7.dsc
eeb98cb049a1e336a8a7845593c77ff5 183767 java optional tomcat7_7.0.28-4+deb7u7.debian.tar.gz
d3dac481496999265653b0ad88aac8c0 65774 java optional tomcat7-common_7.0.28-4+deb7u7_all.deb
e68f1f5b0a4b3ee5210160c18a5b84f6 53072 java optional tomcat7_7.0.28-4+deb7u7_all.deb
8776461879102e2462f905fd133fd32a 41042 java optional tomcat7-user_7.0.28-4+deb7u7_all.deb
7206f42b292f41dd61af3e2ad4cfd096 3503700 java optional libtomcat7-java_7.0.28-4+deb7u7_all.deb
3279b13004f079112b3ef115b4791fe7 307034 java optional libservlet3.0-java_7.0.28-4+deb7u7_all.deb
3f704b048d6a151cd8f99d54aa7853b2 320664 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u7_all.deb
b27ee69bc0e7adf99a560cf038940498 53702 java optional tomcat7-admin_7.0.28-4+deb7u7_all.deb
0075eb37f73839bdc27869ac1a02fba2 207316 java optional tomcat7-examples_7.0.28-4+deb7u7_all.deb
0ef493cfeb1e3868f6e3df497864d2a5 648778 doc optional tomcat7-docs_7.0.28-4+deb7u7_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhAo2tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkSE0P/2yk3x8LIZyQEM/+kZburtbkVaMXJOw9anup
yDhNexPH1S1p0uIXQ83EfK02/TRT1nAIULmwTLM6X6Xd8piFLZyiFDdtPpWBOEEe
Rp+ujN1ZiDGyaMA+pt/xWEDTNTZVbzFeu03UVCOAYQA1KPSFIOrLpNWnkDkEioly
8rO4axubt1TEwZ8gUN/QpJrB134JPclN1/eYPuRvVelFx40j+ra0xOb8zbi8sUZ0
e5Kl0CjGMX7NhkoebeyN33kzIzAoiyVddRL5bBHRAWP7WTL7ucSwEBm9xKWXRwni
MwcgYBR29muRvV2FcWfKMykCN6PkZG6oyZHYNiwSOf3S3x+FF0lBkHqxk0jlOo+4
dXZRS1+xy882OMaj337VIji0Wc0FC3sJh3wu6K6jcFsF8FYkXyAw+SybxKHJFz+s
iKIfA9VeYCNV8YC+ndZq91eeHG+q6MdTadAE1I9YTgA7JNHlLcbxXyaVe/122yiB
yKqMUJtL01IYHy2HDXbIiXygpW0b3rzuLCY+kSkx5HAoh5NbjHRvzQEt8bmELrZJ
NUhaBWpPLvT6k4lDK3bKg8osCB+pvR0sOCRRCw1D6v8xl8enHN8S+PYFbxIQiPQA
xRZdjMY70eiU1Fqyz77Uvn/haxJP8/uFW/JT4hToitvRHqgQVWir/wZW0ggzgHJo
qWs/bnSx
=7huU
-----END PGP SIGNATURE-----