Accepted tomcat7 7.0.56-3+deb8u2 (source all) into proposed-updates->stable-new, proposed-updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 Apr 2016 09:10:22 +0000
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7    - Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Changes:
 tomcat7 (7.0.56-3+deb8u2) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2015-5174:
     Directory traversal vulnerability in RequestUtil.java allows remote
     authenticated users to bypass intended SecurityManager restrictions and
     list a parent directory via a /.. (slash dot dot) in a pathname used by a
     web application in a getResource, getResourceAsStream, or getResourcePaths
     call, as demonstrated by the $CATALINA_BASE/webapps directory.
   * Fix CVE-2015-5345:
     The Mapper component in Apache Tomcat processes redirects before
     considering security constraints and Filters, which allows remote attackers
     to determine the existence of a directory via a URL that lacks a trailing /
     (slash) character.
   * Fix CVE-2015-5346:
     Session fixation vulnerability in Apache Tomcat when different session
     settings are used for deployments of multiple versions of the same web
     application, might allow remote attackers to hijack web sessions by
     leveraging use of a requestedSessionSSL field for an unintended request,
     related to CoyoteAdapter.java and Request.java.
   * Fix CVE-2015-5351:
     The Manager and Host Manager applications in Apache Tomcat establish
     sessions and send CSRF tokens for arbitrary new requests, which allows
     remote attackers to bypass a CSRF protection mechanism by using a token.
   * Fix CVE-2016-0706:
     Apache Tomcat does not place
     org.apache.catalina.manager.StatusManagerServlet on the
     org/apache/catalina/core/RestrictedServlets.properties list, which allows
     remote authenticated users to bypass intended SecurityManager restrictions
     and read arbitrary HTTP requests, and consequently discover session ID
     values, via a crafted web application.
   * Fix CVE-2016-0714:
     The session-persistence implementation in Apache Tomcat mishandles session
     attributes, which allows remote authenticated users to bypass intended
     SecurityManager restrictions and execute arbitrary code in a privileged
     context via a web application that places a crafted object in a session.
   * Fix CVE-2016-0763:
     The setGlobalContext method in
     org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
     not consider whether ResourceLinkFactory.setGlobalContext callers are
     authorized, which allows remote authenticated users to bypass intended
     SecurityManager restrictions and read or write to arbitrary application
     data, or cause a denial of service (application disruption), via a web
     application that sets a crafted global context.
Checksums-Sha1:
 4b90f5b57247498c655c02ea6f3cdaba486059fb 2890 tomcat7_7.0.56-3+deb8u2.dsc
 28a55fc0685420b300bcdfc95578afd9f3dd25cc 81656 tomcat7_7.0.56-3+deb8u2.debian.tar.xz
 50c84c7ddbda164519e123436218d830a2c7be80 61968 tomcat7-common_7.0.56-3+deb8u2_all.deb
 828c1945b21f5e029871302eebae507b99449cb3 50772 tomcat7_7.0.56-3+deb8u2_all.deb
 46280175c11b17b8c3e44b7856b493165a22f085 38346 tomcat7-user_7.0.56-3+deb8u2_all.deb
 e0e14dd92a6639d94c31800544c10f8a889c0063 3623220 libtomcat7-java_7.0.56-3+deb8u2_all.deb
 92314c13b38ba1c6676a9bf801461da3e1d0a468 314318 libservlet3.0-java_7.0.56-3+deb8u2_all.deb
 baad166982e27155ff43da6a23b3745d7d30832f 204328 libservlet3.0-java-doc_7.0.56-3+deb8u2_all.deb
 79e787e8592f485f57fa90afcb793edca6bdcc33 39350 tomcat7-admin_7.0.56-3+deb8u2_all.deb
 3e9ce383fefce4fb30cc9ff0efa13940c825bb8e 197514 tomcat7-examples_7.0.56-3+deb8u2_all.deb
 ccb2ae08c6099e4d11ed0e836c37edbe49396d13 603562 tomcat7-docs_7.0.56-3+deb8u2_all.deb
Checksums-Sha256:
 cb928db4d42c63ea23546a10a0abfcf814b2f7915d85304b41a87412f6dc5929 2890 tomcat7_7.0.56-3+deb8u2.dsc
 a18282c894ea34079c9e0d9e38ee2e5ddd3ace30bc830c5ef53736f6173cc30a 81656 tomcat7_7.0.56-3+deb8u2.debian.tar.xz
 78c7145d8a0c374eb19dcff06db57b916449c6e4dbfa1889db1037b8020f72d9 61968 tomcat7-common_7.0.56-3+deb8u2_all.deb
 e3996d81c7a6b00b9b149f6c7cd599cdc26641d9593f53b3ab6d03fe4693481a 50772 tomcat7_7.0.56-3+deb8u2_all.deb
 5d809fc66936a348648152f73f652f34b566eab1248cf1248b93598f9505b5c7 38346 tomcat7-user_7.0.56-3+deb8u2_all.deb
 70c98b2cf1458112dc9ceb59b05da3af36eaba7ddd229ba69c72b220d409fc3f 3623220 libtomcat7-java_7.0.56-3+deb8u2_all.deb
 4862a5b63dfd96d2c845b25be836c27da4ce32efc676d6ec23d3e915d668e9ef 314318 libservlet3.0-java_7.0.56-3+deb8u2_all.deb
 e446c3cec3e06af13f472ddff18fc75028a13cd40d95d6c85bb14c2f80ada621 204328 libservlet3.0-java-doc_7.0.56-3+deb8u2_all.deb
 0c17293b6b66694b0b87023c4bfb6d6ea96b765cf67cda328e7a02d82b926a7d 39350 tomcat7-admin_7.0.56-3+deb8u2_all.deb
 63d77abf2f9a354a8af1677ced87d2ae7b532f30fef6cd71dda47bf1880f710c 197514 tomcat7-examples_7.0.56-3+deb8u2_all.deb
 ddaa19494ef1369ef834d80ac4e1efd45ded7f03dad80a67263031ef8d8efcd7 603562 tomcat7-docs_7.0.56-3+deb8u2_all.deb
Files:
 7f766e63d347d5efa39ed7a941dfcee2 2890 java optional tomcat7_7.0.56-3+deb8u2.dsc
 5030cc194efdcfa4a1b6e48b53030ba9 81656 java optional tomcat7_7.0.56-3+deb8u2.debian.tar.xz
 3ed990df51eba1a3060327012ba9ad02 61968 java optional tomcat7-common_7.0.56-3+deb8u2_all.deb
 fad1616be991962b3dbccd75dfdffb71 50772 java optional tomcat7_7.0.56-3+deb8u2_all.deb
 2f434813906a52ce2233fc223107095a 38346 java optional tomcat7-user_7.0.56-3+deb8u2_all.deb
 c873e935af96a81c6583b43e9b75bd68 3623220 java optional libtomcat7-java_7.0.56-3+deb8u2_all.deb
 48159d2cb1e6c6655aa3f93991abb565 314318 java optional libservlet3.0-java_7.0.56-3+deb8u2_all.deb
 1689b29ece401a12524054e7f04f06d3 204328 doc optional libservlet3.0-java-doc_7.0.56-3+deb8u2_all.deb
 f86fab43fe1074fd06d70b63d5ca5afe 39350 java optional tomcat7-admin_7.0.56-3+deb8u2_all.deb
 8008b42c9b4aa3f2d8583288dba73b74 197514 java optional tomcat7-examples_7.0.56-3+deb8u2_all.deb
 f3052973bf91e9da6bbf266bcf1d3ff0 603562 doc optional tomcat7-docs_7.0.56-3+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ7BAEBCgBmBQJXEkp8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hksj4P+P0OMAj3RlwwDxvGLzqtFRSu
ggjq46zFQVtnlRqfq8c8SPKHsDynZAFlrvp46f58Fp/nvRWD4t3K37oSDCUfiUmr
QKVUruZWT8gGJM4a0CF0z5grWXNMLdMX6jWgcUkB+y+CmBXvbX8xo+z1wlTK2Bxo
fFt+ZsNpzhbWt4fIhOhv3u5UMfQ6+ntFOjKAoV8WZif9RiYgH6tCdOVbLZI7yQUU
pNjmfKgqVf2GntfTx+ZMiPLJrRZQMFPVqIylto4iS32sAM6A1AgWGPWpzrmeUgWO
d/hPWcvhEokpCgRNHFEe0e8AcwE9fzCsQQ+oMYfyMvJkPV0G3q5JxEtLh5z26BOh
4v0zbLUVp0Z/SuyNpCtj5UwsXuU1Xo9hCxMppFnyTqGrMmV4PZzy2c2YyjVsXnMy
93Wl9Aj/bWwYj0RYG9ZKxhrjKUwz8ToqTgRJE7BxY+exvryXTxSjSAmkoj3F5b39
3T9A3b+IeUQZBkaeanCaVFlfTQo2Y28iO1pSti57EKS1S1dHqMSM7TIGKHrCCQJf
Wq5C7X1V2frbZF56HmicwHc51EzG9c4Yrx/meXie12Nb/eOw3It5Yahlg2e7zO0u
gDYOdWr6rZeN6ZzzOXmXgzft5Uxr4x0x6hZmaNsvP9dFiCn/28Z1UTddcyYy1U6d
axijwZBRXfyUwiu/m8M=
=kTrY
-----END PGP SIGNATURE-----