Debian Package Tracker

From: Markus Koschany <apo@debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted tomcat6 6.0.45+dfsg-1 (source all) into unstable
Date: Sat, 27 Feb 2016 19:22:54 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Feb 2016 19:32:00 +0100
Source: tomcat6
Binary: libservlet2.5-java libservlet2.5-java-doc
Architecture: source all
Version: 6.0.45+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
 libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
Changes:
 tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium
 .
   * Team upload.
   * Imported Upstream version 6.0.45+dfsg.
     - Remove all prebuilt jar files.
   * Declare compliance with Debian Policy 3.9.7.
   * Vcs-fields: Use https.
   * This update fixes the following security vulnerabilities in the source
     package. Since src:tomcat6 only builds libservlet2.5-java and
     documentation, users are not directly affected.
     - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
     - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
       processes redirects before considering security constraints and Filters.
     - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
       org.apache.catalina.manager.StatusManagerServlet on the
       org/apache/catalina/core/RestrictedServlets.properties list which allows
       remote authenticated users to bypass intended SecurityManager
       restrictions.
     - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
       before 6.0.45 mishandles session attributes, which allows remote
       authenticated users to bypass intended SecurityManager restrictions.
     - CVE-2016-0763: The setGlobalContext method in
       org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
       not consider whether ResourceLinkFactory.setGlobalContext callers are
       authorized, which allows remote authenticated users to bypass intended
       SecurityManager restrictions and read or write to arbitrary application
       data, or cause a denial of service (application disruption), via a web
       application that sets a crafted global context.
     - CVE-2015-5351: The Manager and Host Manager applications in
       Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
       requests, which allows remote attackers to bypass a CSRF protection
       mechanism by using a token.
Checksums-Sha1:
 af97786ef9e9f953aabef6d3798b2194ae2a8722 2455 tomcat6_6.0.45+dfsg-1.dsc
 626f715d36c53df93a6a446c46eb4a4deba41d0a 2187068 tomcat6_6.0.45+dfsg.orig.tar.xz
 097daa63563d0d4ae757c5f41204b4fd2bad270e 38724 tomcat6_6.0.45+dfsg-1.debian.tar.xz
 b5b89fbcc2553d9622575a1302b9b86191677814 164924 libservlet2.5-java-doc_6.0.45+dfsg-1_all.deb
 0a1321533d43441cc5affb361bfe8edcb845dd5c 220862 libservlet2.5-java_6.0.45+dfsg-1_all.deb
Checksums-Sha256:
 c1bb3dd3cf299188672061398c92f55f76d1e91aa429e2b6acbbf34c87ccc46c 2455 tomcat6_6.0.45+dfsg-1.dsc
 d01037a18afb119656a500d3cdb37e918ae3224e21aac5682ecdaac5519d59bc 2187068 tomcat6_6.0.45+dfsg.orig.tar.xz
 f4722067e96127583ba06e490566e836ff1a118bd1a9f2e44fdfc1d6fcc87c3f 38724 tomcat6_6.0.45+dfsg-1.debian.tar.xz
 a6d769036dfb631bd45a7bea6e8b891c31e776b517ccf25c476468af28b9d09e 164924 libservlet2.5-java-doc_6.0.45+dfsg-1_all.deb
 f3e9137f5db54173d73512721657ea954caafe2088bc713d4c953036aeb1f809 220862 libservlet2.5-java_6.0.45+dfsg-1_all.deb
Files:
 6e2dfae412801ab86ba711288ed3a44c 2455 java optional tomcat6_6.0.45+dfsg-1.dsc
 5660a132fd4d4b7e08d87383d2f9290d 2187068 java optional tomcat6_6.0.45+dfsg.orig.tar.xz
 db5b6c21ecfde313f49ca7fa61e64326 38724 java optional tomcat6_6.0.45+dfsg-1.debian.tar.xz
 6582e390642486abc1b14fae4736d3b3 164924 doc optional libservlet2.5-java-doc_6.0.45+dfsg-1_all.deb
 b71f7f63ce886e6ba7320746f8bbfd8c 220862 java optional libservlet2.5-java_6.0.45+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJW0e0CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkSnMQALun4Sl9mPxx6VnDrmeKZmkU
DQHCiO2GOMXPmz+1SH2kOJ+uA6XE6IYoADq1/OHrWzGIMcnbOMK7idxpz0AfvtNk
54rJPaGgPT3SdbC78ZaCp6epJbT/mzl/F23Y1dGL0+waoiN42ZsUwqHsX/0zV2sO
jOX4KQE13QYR0uRqr4h7rc5ES9GvNtyXbWrPcyPy4IWWOWw4VwuUxVoPPSYqXfpR
j+B93XjU4XqMwId8e/8nyvlRDyrB8rxlE+eC+Ysnn9z6J2Q8fSCPsuSuDlhoj/JK
XM6qAdzY7/bv2UPZrnzXSQJwesE10YVe9lSl7rkUobSZovJcCGq8rETwUDqfAW9c
yYg2Iq6XMgL/UE2zwfgEo7qO3FIegKim/6YGpQjrCS1UOT3Kpv2691QSbfoYz6rh
yPwJByFEcnFFzokyMcV1AzmW0gQyYpKW8eUucXd54paXNymes4L9n1Ge+WhCA/1g
BXI3dncpUg40uInrtQ5TynKL6/0c0nbeRggNIS3iGKU4J2UCUzgUev8Wkq6VDGnj
rV5tCIIe58uaWyDMs74C5bZBVB2+xYh784TmCcbpm99SNC1zJI5+LNm6hnfKvUAo
dBLBUlWCm/PX3vrlhbXWvlA2VHNFu0m9yAj0ECs9lSoNv3DhJOJM5BhAGrPe9vtV
TgzIqTRdOo28vp9wtqng
=oTTO
-----END PGP SIGNATURE-----
News for package tomcat6
