Back to tomcat7 PTS page

Accepted tomcat7 7.0.56-3+deb8u6 (source all) into proposed-updates->stable-new, proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted tomcat7 7.0.56-3+deb8u6 (source all) into proposed-updates->stable-new, proposed-updates
From: Emmanuel Bourg <ebourg@apache.org>
Date: Fri, 23 Dec 2016 18:32:34 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1cKUdu-0007Ug-9I@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 09 Dec 2016 17:54:59 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7    - Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Closes: 845425 846298
Changes:
 tomcat7 (7.0.56-3+deb8u6) jessie-security; urgency=high
 .
   * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7
     package is upgraded. Thanks to Paul Szabo for the report (see #845393)
   * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat7
     package is purged. Thanks to Paul Szabo for the report (see #845385)
   * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
     invalid characters. This could be exploited, in conjunction with a proxy
     that also permitted the invalid characters but with a different
     interpretation, to inject data into the HTTP response. By manipulating the
     HTTP response the attacker could poison a web-cache, perform an XSS attack
     and/or obtain sensitive information from requests other then their own.
   * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
     account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
     using this listener remained vulnerable to a similar remote code execution
     vulnerability. This issue has been rated as important rather than critical
     due to the small number of installations using this listener and that it
     would be highly unusual for the JMX ports to be accessible to an attacker
     even when the listener is used.
   * Backported the fix for upstream bug 57377: Remove the restriction that
     prevented the use of SSL when specifying a bind address for the JMX/RMI
     server. Enable SSL to be configured for the registry as well as the server.
   * CVE-2016-5018 follow-up: Applied a missing modification fixing
     a ClassNotFoundException when the security manager is enabled
     (Closes: #846298)
   * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
     from accessing the global resources (Closes: #845425)
   * CVE-2015-5345 follow-up: Added a missing modification enabling the use of
     the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled
     attributes on a context.
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Refreshed the expired SSL certificates used by the tests
   * Set the locale when running the tests to prevent locale sensitive tests
     from failing
   * Fixed a test failure in the new TestNamingContext test added with the fix
     for CVE-2016-6797
   * Fixed a test failure in TestResourceBundleELResolver
   * Reduced the verbosity of the tests
Checksums-Sha1:
 f515f7a7fb70ea78d53a961509968615992c1ccd 2758 tomcat7_7.0.56-3+deb8u6.dsc
 8b3a36fea4e5d86815f4230d5eeb1ac0b179b209 89984 tomcat7_7.0.56-3+deb8u6.debian.tar.xz
 605223126836be410caca78b0ee2f303d261e7fb 63598 tomcat7-common_7.0.56-3+deb8u6_all.deb
 9a47f0581bfbff62745e6b307e878c19e8a0ebb1 52578 tomcat7_7.0.56-3+deb8u6_all.deb
 da05b5aa94cb92f0134d174c679262311821f7e3 39956 tomcat7-user_7.0.56-3+deb8u6_all.deb
 e61dedf5deb25c0558f775c7a2d3e5f973ea538e 3628460 libtomcat7-java_7.0.56-3+deb8u6_all.deb
 c7e3bba59decd0ac74b7c9b9822e013f085303d0 315966 libservlet3.0-java_7.0.56-3+deb8u6_all.deb
 2f3a110bba17e31c051e0daef417a142168a8c29 206570 libservlet3.0-java-doc_7.0.56-3+deb8u6_all.deb
 d94179fa60b701dc38c57521fcfd8517a2601766 40890 tomcat7-admin_7.0.56-3+deb8u6_all.deb
 88ed030e1c4cb32967d0e23594ef460941aafaf2 198736 tomcat7-examples_7.0.56-3+deb8u6_all.deb
 33479c785c758c5ac746b1eb0dd46a04a3998ae2 603878 tomcat7-docs_7.0.56-3+deb8u6_all.deb
Checksums-Sha256:
 051837a099da5e5abd64bac4bc910d76feb17bcecf9f871477d26023d0218621 2758 tomcat7_7.0.56-3+deb8u6.dsc
 92f958bd0040baab247c06ba153cab3c587930f8eae530ee695870af92668c6b 89984 tomcat7_7.0.56-3+deb8u6.debian.tar.xz
 6925b315cca1d7f1aa9048be13431d2b0071cc6bfd9644bc3e60ac53e0c4ce0f 63598 tomcat7-common_7.0.56-3+deb8u6_all.deb
 55a25a7fd14f8ccbbd3d453f0ca8ca7b228d5e5a76b1e8c4d9d2b56371e1d120 52578 tomcat7_7.0.56-3+deb8u6_all.deb
 637d620b28365ae63c1c19beaf3e3cb211d48bb023374ff8999b5996898d9426 39956 tomcat7-user_7.0.56-3+deb8u6_all.deb
 defbcb126990f86b6322bb10b6ea9354debc2a6d67efe98e2e6ce0f3e9eca3bf 3628460 libtomcat7-java_7.0.56-3+deb8u6_all.deb
 70edf84cfcae5e7530ef838b3fdbfc10a2694bf0bf128085ffcb208ba1929c8a 315966 libservlet3.0-java_7.0.56-3+deb8u6_all.deb
 5997e175eb1cf0c6ee55ca1b467b3cb23b69aee3203e3a3a00439598eedd72cc 206570 libservlet3.0-java-doc_7.0.56-3+deb8u6_all.deb
 d884fc761accfc7c0bae2cc62be2ba78028f7a0187ff38edfa2c13db3506a7ac 40890 tomcat7-admin_7.0.56-3+deb8u6_all.deb
 a0bcb95ee80dbba2ccde18272c80af50f95e97166a2557a61ba681ea7ec1532b 198736 tomcat7-examples_7.0.56-3+deb8u6_all.deb
 377a8422547d0244b3674ca9f2c54a88744a111568fcd5e4adaddb057df60045 603878 tomcat7-docs_7.0.56-3+deb8u6_all.deb
Files:
 920ab5b90f2238e72b3b345dbe1fc9dc 2758 java optional tomcat7_7.0.56-3+deb8u6.dsc
 4c39b36e1c173d19fb2d98b46c754b2d 89984 java optional tomcat7_7.0.56-3+deb8u6.debian.tar.xz
 55e083ef8381e096c5cba2a033a99d93 63598 java optional tomcat7-common_7.0.56-3+deb8u6_all.deb
 d7d91536cf784d855262d87a17299a04 52578 java optional tomcat7_7.0.56-3+deb8u6_all.deb
 14946666862b196ffdc255bae13b0ab4 39956 java optional tomcat7-user_7.0.56-3+deb8u6_all.deb
 814bf2ceb5d8a17153a32158c7318c40 3628460 java optional libtomcat7-java_7.0.56-3+deb8u6_all.deb
 95a27232a905e6a58a2b5f4c6c373748 315966 java optional libservlet3.0-java_7.0.56-3+deb8u6_all.deb
 9479f67b76f5236b853bf0cc4ecc1d11 206570 doc optional libservlet3.0-java-doc_7.0.56-3+deb8u6_all.deb
 1d9674d0151022cc73877e14dcb0a5d2 40890 java optional tomcat7-admin_7.0.56-3+deb8u6_all.deb
 e94a3438559476f40c5e657b9074785e 198736 java optional tomcat7-examples_7.0.56-3+deb8u6_all.deb
 302da96a4c19d27accf4e5da130793f2 603878 doc optional tomcat7-docs_7.0.56-3+deb8u6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYSuLzAAoJEPUTxBnkudCsc9gQAKEheMfktBDCqY9wTy2NoF+l
F8RumcveSq/8FMFebVUqIc4rmE3oa4vr5eewn4ZTEkY0y626qIccRXiAzX80E/bI
FrHmpGVJQz3MrA7EYVYpvwbkiA5Wko5HvESXRjAqfVb8eI6BJs673+82yYPF2KTP
u5yaD2/F55m5krq6w9KsmDF32B78rmS/ILV6gTWB5Pm0cfHn6r2JdF81rThAk07P
B6KuhRoD6BlyM7fgMSboirG9unTr1vr422oFRLJeT03W0O6x6xsX5jWG4x/OAByH
1zqCUtfSxEnNp4eOj8JQVQWJ/XG6ZFroManxIlnbf5Xlrew7zp/bXLu/hPVpp+RF
vBpmLzkTHZea66oqnRsv0DRwf3+V+bE3NIeiOIwQO1TVknnflIYqhIJeGezu5vIJ
fLbjDs2cEUiOkkxWVDcbOx9M6dV9mL06TPdjQP9hkJWlP3qMSl3XdCRDle2T70ID
+HtRG/aKC0r43OpLP/YHrnCPWBmTSJS2kmYE+263cRK7sG0oAdGGlY5dvu8XpH/2
9D2UVzKWFaOj828Ph4oZcxf1UVLAVGja5WYAKkgRpx3rsfdpB/b4x1Vu8F7HEWmf
yjvV23gO64uyF60PKwN7ghjhIZ4CEWkN9oIh6/n2kdGliCmUqyaNak4YLpER+lnr
StsZZRYOIABYk56xSALT
=C3Q2
-----END PGP SIGNATURE-----