-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 16 Apr 2016 13:07:43 +0200 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.28-4+deb7u4 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat7 (7.0.28-4+deb7u4) wheezy-security; urgency=high . * Team upload. * Fix CVE-2014-0096: java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. * Fix CVE-2014-0119: It was found that in limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. Checksums-Sha1: 4460caa7aa6ef4b9194f73bcc5ba1195cfe9cddc 2760 tomcat7_7.0.28-4+deb7u4.dsc 461b985c6271009a21cce55a7bab518288728253 128353 tomcat7_7.0.28-4+deb7u4.debian.tar.gz c48dfca36d7b94fbb36bcd0737e570a8d3638aa2 64338 tomcat7-common_7.0.28-4+deb7u4_all.deb d8cb22a7d8bed4623306c8bada2165db584b172a 51822 tomcat7_7.0.28-4+deb7u4_all.deb 9fd1c0087276fe4f9235a4a6c7aaaebfb3c63d99 39876 tomcat7-user_7.0.28-4+deb7u4_all.deb c7a955c2ecbf1bbd664aea56814e45bc6757d7a7 3511536 libtomcat7-java_7.0.28-4+deb7u4_all.deb 52ec47b768baccece0cb5e2d8188880679f04a9f 305930 libservlet3.0-java_7.0.28-4+deb7u4_all.deb 9a9fed5be8e0b9ec6e59f3774f8c7eabb8705b48 301556 libservlet3.0-java-doc_7.0.28-4+deb7u4_all.deb 2ceeca04ba97a02fbc95175505f937c75831ad61 52552 tomcat7-admin_7.0.28-4+deb7u4_all.deb 0e1aa3a1dfa7ed25a7a3185a52bf3a9bbb766868 206206 tomcat7-examples_7.0.28-4+deb7u4_all.deb 6c41d16bf038e10c4879430c97ee4d644db54c5d 647750 tomcat7-docs_7.0.28-4+deb7u4_all.deb Checksums-Sha256: 997a41d934e6583e11cdf9cb97704a7727a56e641e35de40fe05bf5fbad4460b 2760 tomcat7_7.0.28-4+deb7u4.dsc d59d7e00795b9beae032d47537028e2c647c487e6b0be8beef5e84536e81bb9a 128353 tomcat7_7.0.28-4+deb7u4.debian.tar.gz 2fbc9483ba6ca9ce1e84635277076e9a7d9427b0f2a71298700b0976bb9bfa39 64338 tomcat7-common_7.0.28-4+deb7u4_all.deb fe9f151dd8483e94ed4c2c1ebfb51525399ecb6162aec8cdd58974d67fb5d8d3 51822 tomcat7_7.0.28-4+deb7u4_all.deb 5943f7437dadde5ef6b7d694e04f6ee936fd8c145d18901f60a2d218a30b67ce 39876 tomcat7-user_7.0.28-4+deb7u4_all.deb 47cdded64fc11f40cdad2b7f084ba4d696885b5ff2da07c8b6b5d3cb7ace4bb4 3511536 libtomcat7-java_7.0.28-4+deb7u4_all.deb c96474dc4aa982b8a1091a4586a08d8c7ed30817108b4e8c5d60b4d71a03b515 305930 libservlet3.0-java_7.0.28-4+deb7u4_all.deb 0bf327a8d5a6950550e6ce31a614cfe324acf07c9d4026f34c1a6b45a5457116 301556 libservlet3.0-java-doc_7.0.28-4+deb7u4_all.deb 2c82840091ec826780f34a41fc76d8e27eb54cb76df0bbfda31e008d91e625be 52552 tomcat7-admin_7.0.28-4+deb7u4_all.deb 4ee3271b72a206c00c6b3547fe70826e55062c35907ffc115a3185ee4952fcab 206206 tomcat7-examples_7.0.28-4+deb7u4_all.deb 121c087180b807c75d9dee69197f588deae27cfd153189959481fe54a6f96c77 647750 tomcat7-docs_7.0.28-4+deb7u4_all.deb Files: c3328903d6d704453a1f8bfaad39fcc9 2760 java optional tomcat7_7.0.28-4+deb7u4.dsc 001025a667661461f196298c4dcc23b5 128353 java optional tomcat7_7.0.28-4+deb7u4.debian.tar.gz d2c1d4e844caa116711cd0d5a08749cc 64338 java optional tomcat7-common_7.0.28-4+deb7u4_all.deb 7d2daa4b713acaf3512bd7370324922f 51822 java optional tomcat7_7.0.28-4+deb7u4_all.deb fab48b3ad7b7bc4e9364acbe2597a52e 39876 java optional tomcat7-user_7.0.28-4+deb7u4_all.deb 53a972b7a0d9a4159ca94f88db6e266f 3511536 java optional libtomcat7-java_7.0.28-4+deb7u4_all.deb ef12b5d1457eab37f644cf3abb327e63 305930 java optional libservlet3.0-java_7.0.28-4+deb7u4_all.deb 7f666f1104540edd960b8aed18cac774 301556 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u4_all.deb cdbdaed487b7e47c34175f2958a9e4d0 52552 java optional tomcat7-admin_7.0.28-4+deb7u4_all.deb 14354421d9846d2f7d3209bcc67b9dbb 206206 java optional tomcat7-examples_7.0.28-4+deb7u4_all.deb 7aaee802c823e6c0b1cb0d0926212db7 647750 doc optional tomcat7-docs_7.0.28-4+deb7u4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJXEkxeXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkcU4P/32nxExqTqqAX+93CbGB3hLv FXrbwmqazYL1yiIx8/VCHSfbT0dXHomyyNTPi/5acRR75hLS46OxVxuf77Mqnt73 W9qsp1QNYmWNHz6mghSen5JBdAa5nUtNc0sschkkO4L0iq4X9C1yKN3BQjJ2SqoL zc2nO31cMLp70EKnOdBio/E9iHsDy60Atp6Iz3OhILQWV0OfcThJjzuqvwG7IZsq Q7/umHIHks7nfzg/scnxIkCuMVrJf0d3s1dBRel88D0VZTI97bRFmoKQLQoryaAp jNXZ7VL6Za5qRFP6Mm0g5oQHXoI6vXgDvEauQeSvt/IYgXgKg6HugTLTo03AIixr TlHRl5bMCbdpBIuG6EDqC/A6iuMhHCBUVGFkw0x6J6e0jcWacm1tNKWJXz8WIyRP gkqwOimRIKmh3gT9s0Y3/A/Rzhut44SR8CFFiVjWqQfCMO7FgdpnKX0zB9V9DsQ+ l8odm2Ta70xq8p7HCNiV5wCIeS7ErJ05tgfDSPCBP6mt1XGOU7ug1YIfiEmrSLT3 maC47lwVRtNxVCHTZPE4CIWoqRwq9Bz7Df4T8UZg8OB+CCwRS2qsBQ7sffMcSfHZ 0wJt0nprWk4KClKA/c//RtOsqU1krIIq4MiGVpqIvUueNpvDUjZbmFdGgIv1YfB4 M+TQ+5DjF2wzcNBf1e5X =nzVH -----END PGP SIGNATURE-----