Back to tomcat8 PTS page

Accepted tomcat8 8.0.14-1+deb8u4 (source all) into proposed-updates->stable-new, proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Nov 2016 09:00:15 +0100
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u4
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 840685
Changes:
 tomcat8 (8.0.14-1+deb8u4) jessie-security; urgency=medium
 .
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
     possible to determine valid user names.
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
     accessible to web applications.
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
     configuration files could be used by a malicious web application to bypass
     the SecurityManager and read system properties that should not be visible.
   * Fixed CVE-2016-6796: A malicious web application was able to bypass
     a configured SecurityManager via manipulation of the configuration
     parameters for the JSP Servlet.
   * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
     access to global JNDI resources to those resources explicitly linked to the
     web application. Therefore, it was possible for a web application to access
     any global JNDI resource whether an explicit ResourceLink had been
     configured or not.
   * CVE-2016-1240 follow-up:
     - The previous init.d fix was vulnerable to a race condition that could
       be exploited to make any existing file writable by the tomcat user.
       Thanks to Paul Szabo for the report and the fix.
     - The catalina.policy file generated on startup was affected by a similar
       vulnerability that could be exploited to overwrite any file on the system.
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)
Checksums-Sha1:
 665856ec19324d7029e41a6fcea54cdd90c69d76 2842 tomcat8_8.0.14-1+deb8u4.dsc
 ec93a6b65254c664e79fdc1ce8cbe011ea11ce65 56260 tomcat8_8.0.14-1+deb8u4.debian.tar.xz
 b042a68034cff0457d369d47b347836cd64b374c 56634 tomcat8-common_8.0.14-1+deb8u4_all.deb
 70554e2be42156ac0376ff6c641370dd1e56abff 46142 tomcat8_8.0.14-1+deb8u4_all.deb
 91336c3cf7160f3567f0f6bc3d7e61f4a5de3a3e 33818 tomcat8-user_8.0.14-1+deb8u4_all.deb
 db9ede19ef81bf9b38103f9a8c1f495899167072 4585858 libtomcat8-java_8.0.14-1+deb8u4_all.deb
 b1fa663561ab8822d5cfba017cf3bee894f22bb2 391180 libservlet3.1-java_8.0.14-1+deb8u4_all.deb
 c828439fd7bcf2388e1207cab4ee50a42bb3dd5a 246386 libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb
 f8f01bd30ad74ba7f15de3c93b01370d8c1a55ae 35118 tomcat8-admin_8.0.14-1+deb8u4_all.deb
 b9c729a7b4c5f268a70f615b09520d196b1bad39 193542 tomcat8-examples_8.0.14-1+deb8u4_all.deb
 c3ce4d70535076f7bf3d60f1a0fe848f612432b9 688292 tomcat8-docs_8.0.14-1+deb8u4_all.deb
Checksums-Sha256:
 fe11afd5dc9472f316c5126c8d1f12f8958c17cca455dde4b63a5d4eabd25c28 2842 tomcat8_8.0.14-1+deb8u4.dsc
 bfef9a384583312b056101f34bcdb308f5a9855e63b8d575f43f4251d4402af5 56260 tomcat8_8.0.14-1+deb8u4.debian.tar.xz
 6ad03dee0fc489fb2ff115113872d314aeacadb3e4245b993e207ca6d5bfa475 56634 tomcat8-common_8.0.14-1+deb8u4_all.deb
 24e3f69096f81fa3ef65ee837e7d72df46a4610d57d5ed97197764afc342273b 46142 tomcat8_8.0.14-1+deb8u4_all.deb
 5f6d0abc55f17096e2b2cf35e91789a6b6051761a2265e7cd48468a620dc0b13 33818 tomcat8-user_8.0.14-1+deb8u4_all.deb
 9c8d9e0f2900c940bf6dfc721aafcfbc655ec375e0984d67033b187846241bc7 4585858 libtomcat8-java_8.0.14-1+deb8u4_all.deb
 a30a493c614639c71bd9a06bd9b438fcf7fab2d4acbac1e114b08985b2b51909 391180 libservlet3.1-java_8.0.14-1+deb8u4_all.deb
 9f0077c343b34ab5af0c9c989c6ca4e5545b6bc7437c94b0320dbea2dceb11d8 246386 libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb
 a2cb93bbf53750daed7eaee6339851c98ea39e99f0accd4692540f5d6639ea48 35118 tomcat8-admin_8.0.14-1+deb8u4_all.deb
 799ece775236b93d9d1d5d880a36f3bf8debe9d27edac60a5381c8bf440cc6df 193542 tomcat8-examples_8.0.14-1+deb8u4_all.deb
 230a2139dae1878b32005d357e6e09ff209374256127610545949e907b3fd141 688292 tomcat8-docs_8.0.14-1+deb8u4_all.deb
Files:
 b4b7edf37b67958d914f0faf8ea709bc 2842 java optional tomcat8_8.0.14-1+deb8u4.dsc
 8851abe07b60a4a32341b90e3dd5682d 56260 java optional tomcat8_8.0.14-1+deb8u4.debian.tar.xz
 7a6f81ae8302876756c5ef9cd2bc173a 56634 java optional tomcat8-common_8.0.14-1+deb8u4_all.deb
 87661c80a0a9775f247048853afaf47b 46142 java optional tomcat8_8.0.14-1+deb8u4_all.deb
 390dbf6cee51d388371720b9c14313ab 33818 java optional tomcat8-user_8.0.14-1+deb8u4_all.deb
 0adaf59156eab95073f01f0e53261490 4585858 java optional libtomcat8-java_8.0.14-1+deb8u4_all.deb
 07987c93c5cb5a372ccef3969662ee87 391180 java optional libservlet3.1-java_8.0.14-1+deb8u4_all.deb
 9cffc9aaa7787ef935fa639a6774a6ea 246386 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb
 05d7f65566a92e2f9b506fc05d2d57ea 35118 java optional tomcat8-admin_8.0.14-1+deb8u4_all.deb
 356d02452c487c82594a9f87f3ac370d 193542 java optional tomcat8-examples_8.0.14-1+deb8u4_all.deb
 b36f6f0dc9b9dfb2c0c0d25352353cc3 688292 doc optional tomcat8-docs_8.0.14-1+deb8u4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYLWQ6AAoJEPUTxBnkudCsAFAP/3aYeR+sQQy4qFgt3LyfTCGJ
ZzrfVYfK4DR30H93lmoTQQxkeF7W9Uw56x66vLab+x+26cIr6tsJaro2ltrEESV0
qUcjo8RfjYnvg03jmcKHg1hbFcJzRE77lmsXebv5XYV43bCqnMctdGoJRVdquNug
IHWuPmZ2154AppLdrzjEjY0G74bV4/QX5TPXCbE8aOh4r8cyVVjCThQh6vwloYzG
P8jQ7Tr8U5CUd+aApM1AHyMM66NMbMowGdLsJAsPcf1o2e+biXBbhT13R8lwhtw1
mK3h/z4aFesQwJkWfjADY7kM3rf0F4iS6xv8BPEdDuCCsY0cGa411CmHT94X9n/B
lN/TrasGjuMhODUoSCo2WnAdST6EfxPKfokUXYggSllq/gJVjMbmm2EQCw3P4dcU
fmtHlP1Y7MIEbDSdRUCTJhitcFTpresQKLwme1i7Tc0JsGGcKv8sc+6ucDCS+qZT
CGFKhcM5Og2wihU2scCix62+518RN/lwyjQhPG8Wa0YLxjdYHHeCZpjv67JxY1jq
rEmmezYdNpGSnvACa56Jr2/s/8tb2x/iuHf1/TXHYCpYSWYKoNj99TrwOSxwkmwh
86N5rVbWzMR8QnIeNHV5lsO1PjjUXCjbIGxPHNMZ+KWNwU7anxIKECpv/4jK0GtD
P3T8FclkRr3wIhVb0dX0
=M5GD
-----END PGP SIGNATURE-----