Back to tomcat8 PTS page

Accepted tomcat8 8.0.14-1+deb8u5 (source all) into proposed-updates->stable-new, proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Dec 2016 09:19:36 +0100
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 845385 845393
Changes:
 tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high
 .
   * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8
     package is upgraded. Thanks to Paul Szabo for the report (Closes: #845393)
   * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat8
     package is purged. Thanks to Paul Szabo for the report (Closes: #845385)
   * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
     invalid characters. This could be exploited, in conjunction with a proxy
     that also permitted the invalid characters but with a different
     interpretation, to inject data into the HTTP response. By manipulating the
     HTTP response the attacker could poison a web-cache, perform an XSS attack
     and/or obtain sensitive information from requests other then their own.
   * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
     account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
     using this listener remained vulnerable to a similar remote code execution
     vulnerability. This issue has been rated as important rather than critical
     due to the small number of installations using this listener and that it
     would be highly unusual for the JMX ports to be accessible to an attacker
     even when the listener is used.
   * Backported the fix for upstream bug 57377: Remove the restriction that
     prevented the use of SSL when specifying a bind address for the JMX/RMI
     server. Enable SSL to be configured for the registry as well as the server.
   * CVE-2016-5018 follow-up: Applied a missing modification fixing
     a ClassNotFoundException when the security manager is enabled (see #846298)
   * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
     from accessing the global resources (see #845425)
   * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Backported a fix disabling the broken SSLv3 tests
   * Refreshed the expired SSL certificates used by the tests
   * Set the locale when running the tests to prevent locale sensitive tests
     from failing
   * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader
   * Fixed a test failure in the new TestNamingContext test added with the fix
     for CVE-2016-6797
   * Test failures are no longer ignored and now stop the build
Checksums-Sha1:
 863b3c4d475bde4e869f4ebaebf67118dae4b9f9 2842 tomcat8_8.0.14-1+deb8u5.dsc
 9ad63d0fddca86cfd97e8fca65563247e80a718b 70888 tomcat8_8.0.14-1+deb8u5.debian.tar.xz
 c983ffb5480273647fbc13c0dfcd845fd4cdaf38 57498 tomcat8-common_8.0.14-1+deb8u5_all.deb
 c758773f15b912d448024e4495125af61bb093a8 47000 tomcat8_8.0.14-1+deb8u5_all.deb
 b2c8c6de94ce645dcbafcfd4ea597293f063a78f 34530 tomcat8-user_8.0.14-1+deb8u5_all.deb
 feef6365326e829ebf29af02e6c9395a7294f824 4587212 libtomcat8-java_8.0.14-1+deb8u5_all.deb
 aaa54d72e7ecf58eb9c7e342771cfded676b1650 391938 libservlet3.1-java_8.0.14-1+deb8u5_all.deb
 0e664137717a28a462964aef6effb4ccf88b0f74 247386 libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb
 2e4b17b7870ded1623f89ee22bf61d7bcc835c5e 35942 tomcat8-admin_8.0.14-1+deb8u5_all.deb
 c7c874c57df41fdf45c8932136bfd86777716960 194150 tomcat8-examples_8.0.14-1+deb8u5_all.deb
 cc2e6a53b27dda1e2ad95d0a7abe92fc7eaed4d2 688960 tomcat8-docs_8.0.14-1+deb8u5_all.deb
Checksums-Sha256:
 03a05dc2b15e3241270a7e99c7f5a6afde2fc875dcda8461727970cf5f1b88c8 2842 tomcat8_8.0.14-1+deb8u5.dsc
 2c56c1343672f97fd42b1b38b82716f92fd7a7d3f1006782de3b014973daa30d 70888 tomcat8_8.0.14-1+deb8u5.debian.tar.xz
 e83161efde88bb3f0fd8c146439df5c99be73f61280ed631095f13c98403d498 57498 tomcat8-common_8.0.14-1+deb8u5_all.deb
 dcd7534cf403f239ee8c570795d8d139bb4aaa7556c17a4859cd44fc365f4be6 47000 tomcat8_8.0.14-1+deb8u5_all.deb
 77d611b6c3cc4623f2909fdd04a9ee956d234f5b79ea18fde2135e2e0e696ab4 34530 tomcat8-user_8.0.14-1+deb8u5_all.deb
 e0883845d2e042768363e1425ede323fdc60cbdd95c1d4bcf3323f7422466672 4587212 libtomcat8-java_8.0.14-1+deb8u5_all.deb
 d8c41a1aaecf1e0bab2b28158070e0d2750cf2f0434e917c23b63c7a5a1d5879 391938 libservlet3.1-java_8.0.14-1+deb8u5_all.deb
 f04d84a02294cdc9a6afa8c9dd6007b040bf26ab5b7dd248855bcb9bbc316479 247386 libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb
 6c4cc9f3793df8702a17b62b55abd7e11e482928f755f00ac00b50b3411b1141 35942 tomcat8-admin_8.0.14-1+deb8u5_all.deb
 9979fdb3802afad02db5a5645a269640e086eb07ecfa200c2b375bfbeadd4595 194150 tomcat8-examples_8.0.14-1+deb8u5_all.deb
 4b85438c34275b10b62757ee5cbe618dce772551d75948a1243265a8bc48a7c7 688960 tomcat8-docs_8.0.14-1+deb8u5_all.deb
Files:
 25c13a968a8dc7daa066d594f05b0dcb 2842 java optional tomcat8_8.0.14-1+deb8u5.dsc
 95e06df78dc1c9398884e55044a237ef 70888 java optional tomcat8_8.0.14-1+deb8u5.debian.tar.xz
 1abdee40b2cde01e1e65cebff7ef7ee6 57498 java optional tomcat8-common_8.0.14-1+deb8u5_all.deb
 2bae4143a2997470561ed1709586a26b 47000 java optional tomcat8_8.0.14-1+deb8u5_all.deb
 f626fcac4e1903ed3eda43968f4fc22f 34530 java optional tomcat8-user_8.0.14-1+deb8u5_all.deb
 8d9fe2adfa73a4dcb4d8c80e0143d5ac 4587212 java optional libtomcat8-java_8.0.14-1+deb8u5_all.deb
 8a457e5d67dc7609f7966af22d56ebea 391938 java optional libservlet3.1-java_8.0.14-1+deb8u5_all.deb
 4192b6c66a1081ce709c37b33a5e6e9d 247386 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u5_all.deb
 9a72fe5cc3bc07a0286004313845381f 35942 java optional tomcat8-admin_8.0.14-1+deb8u5_all.deb
 5e4adc0169686723ffcffc538458120d 194150 java optional tomcat8-examples_8.0.14-1+deb8u5_all.deb
 30156d2df7f5b012bc9858114d16d394 688960 doc optional tomcat8-docs_8.0.14-1+deb8u5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYVUMMAAoJEPUTxBnkudCsKvkP/RNqmuIFBgz0PWVleUf1QVXm
7/LJO3Xoc+WAsWjeynEMcZV13+TqeDoPrc6CahstCG7dv5odZffpbelbDNSInxQ+
ka1okoxoUsQCC29109Rh6pLy1j2lX6BovlRzTYgJ7H/a3VcsD+UeJH3TFTqncgG1
GrSmrqi8cTf2Nr3YqEqhpEwGB0EkkHTEXp03GEH8DIKj84oC72ERa5vkkgFNATzp
2YFnzEQLIDCQkcY/gJgEL3k9jNZVI94QOzGmaXiAfhChTRAL39k7NCVgKguNpIdJ
wX1h6nK0UlGfbfUvkQJO93zMVujbzrnFf1htM8uqdfskVcGxlogi0yRKi8ZHBa1t
R7izOWOUTCxem/anWY1Zkt8p9hyXnFr3jalnHmPGRgIfXnM3inPu2FvuOh0bLAMv
pkl1lWVFCYI2ea8X+tl1Mao1JJOJULijGot6QiWYDv1qadqxKkBSByt62vF3PBAn
/udHpYmF+obFe1mAAzunQyhtafeUZyJNIWKthHPszL5pb2D2K7ZB3gtLfAEKG1vk
gMyHsOTXhn51WrfEjcHer12SkUTbmZBNcCE9jjO8/62XPC2dATzMFRQEozjQ5Szr
4ggqqKMHPqDWx3PkjjEESxAjMlT1l+C2+GNvOrKhmIIsRL2vl9brka7ZLEdQ8TZY
U32bDL1Spp1aHg9RzmfP
=C3ZY
-----END PGP SIGNATURE-----