-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 17 Nov 2016 09:00:15 +0100 Source: tomcat8 Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs Architecture: source all Version: 8.0.14-1+deb8u4 Distribution: jessie-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebourg@apache.org> Description: libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries tomcat8 - Apache Tomcat 8 - Servlet and JSP engine tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user Closes: 840685 Changes: tomcat8 (8.0.14-1+deb8u4) jessie-security; urgency=medium . * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685) Checksums-Sha1: 665856ec19324d7029e41a6fcea54cdd90c69d76 2842 tomcat8_8.0.14-1+deb8u4.dsc ec93a6b65254c664e79fdc1ce8cbe011ea11ce65 56260 tomcat8_8.0.14-1+deb8u4.debian.tar.xz b042a68034cff0457d369d47b347836cd64b374c 56634 tomcat8-common_8.0.14-1+deb8u4_all.deb 70554e2be42156ac0376ff6c641370dd1e56abff 46142 tomcat8_8.0.14-1+deb8u4_all.deb 91336c3cf7160f3567f0f6bc3d7e61f4a5de3a3e 33818 tomcat8-user_8.0.14-1+deb8u4_all.deb db9ede19ef81bf9b38103f9a8c1f495899167072 4585858 libtomcat8-java_8.0.14-1+deb8u4_all.deb b1fa663561ab8822d5cfba017cf3bee894f22bb2 391180 libservlet3.1-java_8.0.14-1+deb8u4_all.deb c828439fd7bcf2388e1207cab4ee50a42bb3dd5a 246386 libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb f8f01bd30ad74ba7f15de3c93b01370d8c1a55ae 35118 tomcat8-admin_8.0.14-1+deb8u4_all.deb b9c729a7b4c5f268a70f615b09520d196b1bad39 193542 tomcat8-examples_8.0.14-1+deb8u4_all.deb c3ce4d70535076f7bf3d60f1a0fe848f612432b9 688292 tomcat8-docs_8.0.14-1+deb8u4_all.deb Checksums-Sha256: fe11afd5dc9472f316c5126c8d1f12f8958c17cca455dde4b63a5d4eabd25c28 2842 tomcat8_8.0.14-1+deb8u4.dsc bfef9a384583312b056101f34bcdb308f5a9855e63b8d575f43f4251d4402af5 56260 tomcat8_8.0.14-1+deb8u4.debian.tar.xz 6ad03dee0fc489fb2ff115113872d314aeacadb3e4245b993e207ca6d5bfa475 56634 tomcat8-common_8.0.14-1+deb8u4_all.deb 24e3f69096f81fa3ef65ee837e7d72df46a4610d57d5ed97197764afc342273b 46142 tomcat8_8.0.14-1+deb8u4_all.deb 5f6d0abc55f17096e2b2cf35e91789a6b6051761a2265e7cd48468a620dc0b13 33818 tomcat8-user_8.0.14-1+deb8u4_all.deb 9c8d9e0f2900c940bf6dfc721aafcfbc655ec375e0984d67033b187846241bc7 4585858 libtomcat8-java_8.0.14-1+deb8u4_all.deb a30a493c614639c71bd9a06bd9b438fcf7fab2d4acbac1e114b08985b2b51909 391180 libservlet3.1-java_8.0.14-1+deb8u4_all.deb 9f0077c343b34ab5af0c9c989c6ca4e5545b6bc7437c94b0320dbea2dceb11d8 246386 libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb a2cb93bbf53750daed7eaee6339851c98ea39e99f0accd4692540f5d6639ea48 35118 tomcat8-admin_8.0.14-1+deb8u4_all.deb 799ece775236b93d9d1d5d880a36f3bf8debe9d27edac60a5381c8bf440cc6df 193542 tomcat8-examples_8.0.14-1+deb8u4_all.deb 230a2139dae1878b32005d357e6e09ff209374256127610545949e907b3fd141 688292 tomcat8-docs_8.0.14-1+deb8u4_all.deb Files: b4b7edf37b67958d914f0faf8ea709bc 2842 java optional tomcat8_8.0.14-1+deb8u4.dsc 8851abe07b60a4a32341b90e3dd5682d 56260 java optional tomcat8_8.0.14-1+deb8u4.debian.tar.xz 7a6f81ae8302876756c5ef9cd2bc173a 56634 java optional tomcat8-common_8.0.14-1+deb8u4_all.deb 87661c80a0a9775f247048853afaf47b 46142 java optional tomcat8_8.0.14-1+deb8u4_all.deb 390dbf6cee51d388371720b9c14313ab 33818 java optional tomcat8-user_8.0.14-1+deb8u4_all.deb 0adaf59156eab95073f01f0e53261490 4585858 java optional libtomcat8-java_8.0.14-1+deb8u4_all.deb 07987c93c5cb5a372ccef3969662ee87 391180 java optional libservlet3.1-java_8.0.14-1+deb8u4_all.deb 9cffc9aaa7787ef935fa639a6774a6ea 246386 doc optional libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb 05d7f65566a92e2f9b506fc05d2d57ea 35118 java optional tomcat8-admin_8.0.14-1+deb8u4_all.deb 356d02452c487c82594a9f87f3ac370d 193542 java optional tomcat8-examples_8.0.14-1+deb8u4_all.deb b36f6f0dc9b9dfb2c0c0d25352353cc3 688292 doc optional tomcat8-docs_8.0.14-1+deb8u4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYLWQ6AAoJEPUTxBnkudCsAFAP/3aYeR+sQQy4qFgt3LyfTCGJ ZzrfVYfK4DR30H93lmoTQQxkeF7W9Uw56x66vLab+x+26cIr6tsJaro2ltrEESV0 qUcjo8RfjYnvg03jmcKHg1hbFcJzRE77lmsXebv5XYV43bCqnMctdGoJRVdquNug IHWuPmZ2154AppLdrzjEjY0G74bV4/QX5TPXCbE8aOh4r8cyVVjCThQh6vwloYzG P8jQ7Tr8U5CUd+aApM1AHyMM66NMbMowGdLsJAsPcf1o2e+biXBbhT13R8lwhtw1 mK3h/z4aFesQwJkWfjADY7kM3rf0F4iS6xv8BPEdDuCCsY0cGa411CmHT94X9n/B lN/TrasGjuMhODUoSCo2WnAdST6EfxPKfokUXYggSllq/gJVjMbmm2EQCw3P4dcU fmtHlP1Y7MIEbDSdRUCTJhitcFTpresQKLwme1i7Tc0JsGGcKv8sc+6ucDCS+qZT CGFKhcM5Og2wihU2scCix62+518RN/lwyjQhPG8Wa0YLxjdYHHeCZpjv67JxY1jq rEmmezYdNpGSnvACa56Jr2/s/8tb2x/iuHf1/TXHYCpYSWYKoNj99TrwOSxwkmwh 86N5rVbWzMR8QnIeNHV5lsO1PjjUXCjbIGxPHNMZ+KWNwU7anxIKECpv/4jK0GtD P3T8FclkRr3wIhVb0dX0 =M5GD -----END PGP SIGNATURE-----