-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Mar 2016 14:08:48 +0100
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras
Architecture: source all
Version: 6.0.45+dfsg-1~deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libservlet2.4-java - Transitional package for libservlet2.5-java
libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
libtomcat6-java - Servlet and JSP engine -- core libraries
tomcat6 - Servlet and JSP engine
tomcat6-admin - Servlet and JSP engine -- admin web applications
tomcat6-common - Servlet and JSP engine -- common files
tomcat6-docs - Servlet and JSP engine -- documentation
tomcat6-examples - Servlet and JSP engine -- example web applications
tomcat6-extras - Servlet and JSP engine -- additional components
tomcat6-user - Servlet and JSP engine -- tools to create user instances
Changes:
tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high
.
* Team upload.
* The full list of changes between 6.0.35 (the version previously available
in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
* This update fixes the following security issues:
- CVE-2014-0033: prevent remote attackers from conducting session
fixation attacks via crafted URLs.
- CVE-2014-0119: Fix not properly constraining class loader that accesses
the XML parser used with an XSLT stylesheet which allowed remote
attackers to read arbitrary files via crafted web applications.
- CVE-2014-0099: Fix integer overflow in
java/org/apache/tomcat/util/buf/Ascii.java.
- CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
attackers to bypass security-manager restrictions.
- CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
- CVE-2013-4590: prevent "Tomcat internals" information leaks.
- CVE-2013-4322: prevent remote attackers from doing denial of service
attacks.
- CVE-2013-4286: reject requests with multiple content-length headers or
with a content-length header when chunked encoding is being used.
- Avoid CVE-2013-1571 when generating Javadoc.
* CVE-2014-0227.patch:
- Add error flag to allow subsequent attempts at reading after an error to
fail fast.
* CVE-2014-0230: Add support for maxSwallowSize.
* CVE-2014-7810:
- Fix potential BeanELResolver issue when running under a security manager.
Some classes may not be accessible but may have accessible interfaces.
* CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
* CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
processes redirects before considering security constraints and Filters.
* CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list which allows
remote authenticated users to bypass intended SecurityManager
restrictions.
* CVE-2016-0714: The session-persistence implementation in Apache Tomcat
before 6.0.45 mishandles session attributes, which allows remote
authenticated users to bypass intended SecurityManager restrictions.
* CVE-2016-0763: The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
not consider whether ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to bypass intended
SecurityManager restrictions and read or write to arbitrary application
data, or cause a denial of service (application disruption), via a web
application that sets a crafted global context.
* CVE-2015-5351: The Manager and Host Manager applications in
Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
requests, which allows remote attackers to bypass a CSRF protection
mechanism by using a token.
* Drop the following patches. Applied upstream.
- 0011-CVE-2012-0022-regression-fix.patch
- 0012-CVE-2012-3544.patch
- 0014-CVE-2012-4534.patch
- 0015-CVE-2012-4431.patch
- 0016-CVE-2012-3546.patch
- 0017-CVE-2013-2067.patch
- cve-2012-2733.patch
- cve-2012-3439.patch
- CVE-2014-0227.patch
- CVE-2014-0230.patch
- CVE-2014-7810-1.patch
- CVE-2014-7810-2.patch
- 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch
Checksums-Sha1:
ca4df8190dae7eeb214b5efa8aa6dd1a473fca0e 2870 tomcat6_6.0.45+dfsg-1~deb7u1.dsc
626f715d36c53df93a6a446c46eb4a4deba41d0a 2187068 tomcat6_6.0.45+dfsg.orig.tar.xz
d73d60284ae66a39d4b361d21540f527029416f0 46068 tomcat6_6.0.45+dfsg-1~deb7u1.debian.tar.gz
7bce5dd7eb96d1e0cd2f02c7675c463810aef2f2 57510 tomcat6-common_6.0.45+dfsg-1~deb7u1_all.deb
7973b99d9ff0205a3bfd55a96e1bb555fd5b5f71 51136 tomcat6_6.0.45+dfsg-1~deb7u1_all.deb
7d761e0e519ad00cba6c00d666302fef60289b2c 41026 tomcat6-user_6.0.45+dfsg-1~deb7u1_all.deb
68c17a0d951f4d655167c67865aa150bf39542bc 3168786 libtomcat6-java_6.0.45+dfsg-1~deb7u1_all.deb
8b255cdf82aee044a16507adbd3e35467b0e3703 14720 libservlet2.4-java_6.0.45+dfsg-1~deb7u1_all.deb
71422bbf46fdc5e8dc0afb7c6fd12e3a76259a70 241076 libservlet2.5-java_6.0.45+dfsg-1~deb7u1_all.deb
d7c66df320b96cc25490058b0fbd1ff575ac1311 256560 libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u1_all.deb
0af114c70e2f779a592a7063412ede019e26bab7 50228 tomcat6-admin_6.0.45+dfsg-1~deb7u1_all.deb
cdfa6dd586953360a186d9c3e3011d6b5c6fc7b9 165298 tomcat6-examples_6.0.45+dfsg-1~deb7u1_all.deb
9cdfb923dd9761e149fa84919e5359d975d54613 604544 tomcat6-docs_6.0.45+dfsg-1~deb7u1_all.deb
522c7ea9974ca9b70d129cfb723cdbbe1edfdf86 15002 tomcat6-extras_6.0.45+dfsg-1~deb7u1_all.deb
Checksums-Sha256:
3ccfaf5fb6295c263ff7254c6c5262a98c0bb4c6ee1140937b89e51794db6c47 2870 tomcat6_6.0.45+dfsg-1~deb7u1.dsc
d01037a18afb119656a500d3cdb37e918ae3224e21aac5682ecdaac5519d59bc 2187068 tomcat6_6.0.45+dfsg.orig.tar.xz
72723b1f5eedc2c868bc12a354bb9be720d3195ec0cb2579e6554561a27528b5 46068 tomcat6_6.0.45+dfsg-1~deb7u1.debian.tar.gz
64dc1b8115ab182b34111890c388cf10c702677daf9d3f6433e8ccdcecdfec6c 57510 tomcat6-common_6.0.45+dfsg-1~deb7u1_all.deb
e3925e28927e4aca13d6b771eff12ea88b7a4a08c89798a13c7a40ae931b7b74 51136 tomcat6_6.0.45+dfsg-1~deb7u1_all.deb
11fb6115e29cbb2b25d2a579156b3da4d00974782cb1d50d070290956ed77a38 41026 tomcat6-user_6.0.45+dfsg-1~deb7u1_all.deb
b6ec84cc21f99ae4000e8dcfc89866affa32614eeee55cadfc4385fbec27ab02 3168786 libtomcat6-java_6.0.45+dfsg-1~deb7u1_all.deb
61aff80929ae0e0c7b647e392f404236f921b4fdfcd2fef028142ff6f3a30619 14720 libservlet2.4-java_6.0.45+dfsg-1~deb7u1_all.deb
bf15475013c6f023056b82eaaedeb1b4022fcc64d43ff57d473adab246037078 241076 libservlet2.5-java_6.0.45+dfsg-1~deb7u1_all.deb
15511aa9e58a5759ea76c1520d95754ad50419ae13db865431c0972692b1146c 256560 libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u1_all.deb
2777e86728ec25938c71ac81990bc4f468ad604bb4b5f901be88d11f2f6d49fd 50228 tomcat6-admin_6.0.45+dfsg-1~deb7u1_all.deb
f6d72806e15eb09a5362733463f8529b564b7f854b55e9576d301ae77b8ce70e 165298 tomcat6-examples_6.0.45+dfsg-1~deb7u1_all.deb
982e81e53443c254e9d99a0ddb531db8a7f02534994749a3bf683d7f2839525e 604544 tomcat6-docs_6.0.45+dfsg-1~deb7u1_all.deb
347697cb1cce373703a890607ecffee224d6a7eb650e7bcd62976c00250cd946 15002 tomcat6-extras_6.0.45+dfsg-1~deb7u1_all.deb
Files:
b198af5b4acc23098a5572a12581fd3e 2870 java optional tomcat6_6.0.45+dfsg-1~deb7u1.dsc
5660a132fd4d4b7e08d87383d2f9290d 2187068 java optional tomcat6_6.0.45+dfsg.orig.tar.xz
40b7541849194fe5e43a4b2f559dc155 46068 java optional tomcat6_6.0.45+dfsg-1~deb7u1.debian.tar.gz
ed7f2288ba51025412109dbc1d6a8afc 57510 java optional tomcat6-common_6.0.45+dfsg-1~deb7u1_all.deb
6333c3885c245a218b004ede98fa05c1 51136 java optional tomcat6_6.0.45+dfsg-1~deb7u1_all.deb
46c8fed2fd752c7442cac4560b15f3b7 41026 java optional tomcat6-user_6.0.45+dfsg-1~deb7u1_all.deb
ee4b202122c96c9da8921f1c09a34e6e 3168786 java optional libtomcat6-java_6.0.45+dfsg-1~deb7u1_all.deb
0a7c0c01e613546c81c40bb391d98f37 14720 oldlibs extra libservlet2.4-java_6.0.45+dfsg-1~deb7u1_all.deb
bb488183609f33d44d776172c470e504 241076 java optional libservlet2.5-java_6.0.45+dfsg-1~deb7u1_all.deb
0d131df4389998a7e0b9ed5578ac4d12 256560 doc optional libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u1_all.deb
b007b4cba1a08bb44bda5e686a9498d6 50228 java optional tomcat6-admin_6.0.45+dfsg-1~deb7u1_all.deb
429661125ffb4f8dff34c77e8c8286f6 165298 java optional tomcat6-examples_6.0.45+dfsg-1~deb7u1_all.deb
bd6d8b71b45557d43af252b2a66cd1ff 604544 doc optional tomcat6-docs_6.0.45+dfsg-1~deb7u1_all.deb
dd4338f0bbd37c766f75bd7bad2e0f11 15002 java optional tomcat6-extras_6.0.45+dfsg-1~deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJW6VzFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkVIsQAJhlmwkd0LB3UZqK6HKU03Ob
H5K7Gl01e1WPwLR0UBgNdO24nRxjVeUB+3EKz9EUj39Vf+gCnG3BA5Kdrp4QBmBu
rJbGMi52ws6ISQnZ5omJZ8yDG49ZdbiuIq2HXX7O2E+CDSK5koCBXO2WM+a39vvV
c5T75by/Mekn4aFf5t1R95HElzHV5qhO6qiAx1ApFgcA2e8YTDOcOqZ4gHAuWEb/
1GlwgJ+Z3u42njG48qqQaXDBsa2B9f3vXTdke1gB+63yFE+E3CXFMW3pUlmyUfz9
+wz/bmkkcwuCy1ifEGqhEMYVZYcmjqrcwl+zeiPm4MwTwwWKtt3kgus4MUyO0v7C
FFs5Dj/YbawvzAwWAaoW+aOA6DPQ/MCKblt3W2lHkL6sHTIGTDtUMsAmJObxWeK4
oB0uj07zLZxlaTr5is+7a+CrTSQdyzxN970rDIlFvoR3pAYbbFJ/o6tY64C9KRz9
cuUF/0sMweC0XHvYcluXl7ecroKVxYmQNK/0luDN2tFeQfAcz3ywKnOBwd3rt7US
B4y2+6NdufxF13pm7C2Dhv/uqapYmg3c9z11VN5zmoMxP9IOFs6MYyP/vFt3EC3J
bk5sEITIzDAGMueaOnTjiPRdgSNUHmJHxKgockYwWho2b+t6QJgFgP2pTu0Xespj
3jlMP8NvbNoDGOlQ4bIs
=BOey
-----END PGP SIGNATURE-----
