-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 12 Nov 2016 00:06:36 +0100 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.56-3+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebourg@apache.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7 - Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Closes: 842662 842663 842664 842665 842666 Changes: tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high . * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. (Closes: #842662) * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (Closes: #842663) * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (Closes: #842664) * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (Closes: #842665) * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (Closes: #842666) * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo Checksums-Sha1: 3be5b51e5c1484c8725b982843be3b7b52f51334 2758 tomcat7_7.0.56-3+deb8u5.dsc 194bd5bbb526845798dbc333bd2e29331e4371b8 86864 tomcat7_7.0.56-3+deb8u5.debian.tar.xz 8fd9159194ee71dc11dd1dc80a2683f3467bd38b 62706 tomcat7-common_7.0.56-3+deb8u5_all.deb 18371f7fcbabed3cc688b2dbd6286f0bf7f263ce 51704 tomcat7_7.0.56-3+deb8u5_all.deb 59890bb1c4a5bb2508672e261f1e15ec1a011058 39160 tomcat7-user_7.0.56-3+deb8u5_all.deb 963d1d9f3f80d007c040214bade6b050ba9d31e2 3624706 libtomcat7-java_7.0.56-3+deb8u5_all.deb 47a8460861fa939473edf20228c7596ab87aa0ed 314968 libservlet3.0-java_7.0.56-3+deb8u5_all.deb 73fe30da8d5e7011b30dae608999a59063d3c351 205802 libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb ef75bfaa088ca3ed2175cf10b71b582d2478efe9 40154 tomcat7-admin_7.0.56-3+deb8u5_all.deb f795705b3cb876185425833a42b13466c2efba52 198344 tomcat7-examples_7.0.56-3+deb8u5_all.deb dce737471448b07e2a3631c88de993aae7d95875 604986 tomcat7-docs_7.0.56-3+deb8u5_all.deb Checksums-Sha256: 1419ee2e6bc3603de69b9eea7aae28c885e59d2c654e9a4f70a28f1a3feb2078 2758 tomcat7_7.0.56-3+deb8u5.dsc edd0b3e02c76551f010ae3d36be238438b032e9704aedce8d14222ecd4189235 86864 tomcat7_7.0.56-3+deb8u5.debian.tar.xz 9bd19853053ee5b12445d111d6f62a3a10f8a619c6c9ab523801e36eb9f7b2a1 62706 tomcat7-common_7.0.56-3+deb8u5_all.deb 9745cc9ac52cdd750f0f6fddb39bcc941c9e756e3ce42dd4a3d65f73ef528ef0 51704 tomcat7_7.0.56-3+deb8u5_all.deb 0c9ca99681562296f1ed83cd4de7254e912e821f5700a5bd8a937dafd403658f 39160 tomcat7-user_7.0.56-3+deb8u5_all.deb 749ec2662389349fcfa4f044993e57f00f24efdcf24f58a49dd1a4bb80f317e0 3624706 libtomcat7-java_7.0.56-3+deb8u5_all.deb 17b2e3b9ce99d909a4ad6ba1e39c70c3d446113223f8014fd53394cdb4ab966f 314968 libservlet3.0-java_7.0.56-3+deb8u5_all.deb b501588b7a5cc8950d01fdd1c851bfbe22f02f9f43ef5e2d65e5d20de84f6249 205802 libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb 6f67113fd5df568079991a7532eb0d2f43e0a333035518aad0f4a0916a41da71 40154 tomcat7-admin_7.0.56-3+deb8u5_all.deb 7f775e1a5b2be96d731aff9ec41c319926706ea57ddcd3964e23165f5becb6dd 198344 tomcat7-examples_7.0.56-3+deb8u5_all.deb ca6142ab576d0c0512c9f3bd607cc53cf02234169c7b94a461fddd7241598144 604986 tomcat7-docs_7.0.56-3+deb8u5_all.deb Files: cc6e36ca896e291a3e7bfcc124680050 2758 java optional tomcat7_7.0.56-3+deb8u5.dsc babcf5ba95e2c199308022b2cf544f3d 86864 java optional tomcat7_7.0.56-3+deb8u5.debian.tar.xz 3c9c33dc284943c17984277829f7767b 62706 java optional tomcat7-common_7.0.56-3+deb8u5_all.deb 5e67cb0d8fe76aebde9221e7c8d76594 51704 java optional tomcat7_7.0.56-3+deb8u5_all.deb 1fe6f733393e7f4bd0f84f120ec06e22 39160 java optional tomcat7-user_7.0.56-3+deb8u5_all.deb 73ff0ead1ea15e82c2a6f47aab0f0711 3624706 java optional libtomcat7-java_7.0.56-3+deb8u5_all.deb b2885a2e3d99624ec559c376b1fb528e 314968 java optional libservlet3.0-java_7.0.56-3+deb8u5_all.deb 8ccf701c0d39fc028e364ba26b5e8000 205802 doc optional libservlet3.0-java-doc_7.0.56-3+deb8u5_all.deb 247f4d2ef0e922f803fd2f55369a33be 40154 java optional tomcat7-admin_7.0.56-3+deb8u5_all.deb 3d9d118ce4792cc8aa0c27e39c213068 198344 java optional tomcat7-examples_7.0.56-3+deb8u5_all.deb 6ad23aab958c56299dcca0bc6dd4349b 604986 doc optional tomcat7-docs_7.0.56-3+deb8u5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYJk+aAAoJEPUTxBnkudCsRP4P/Aozh7hvv71FEFpiRyQ/p3mX 45XN3oD2Oqy3SKHMYSoJuiBHm6SCfq9WNpJiFD9TnaYuFWMMzXXg6z2PRpuQP1Mn zwsx5/xEBk2XUHwj3eQdZpCzki5weY/+zIAb15mbQ89oM59sEBFH+bj9Hg1+gHvn eFSb8kLl2OtDzTaA198PAh/IT8Ohn4IXHKkQdyroZ5eiYgpVAuO4KoDtj7HiHAYc NayBV9xpjPTfZEUkmOQXZc9ZTR8pFxyKhRJa9vG4u4Gs9TtqRVqdk3W5z/WpNdgw RCtp1ZDIkcckCDcG2IOp7rQ5SM9Pl1jDwGDPGQQykMRjfPPEVu3HIY/ZcFWDkESH ZBC/Z/Q6urLXHQHNv83hqbqnCErXZ1p/+Bn84KrLiyOhIv4B0E6pswVWxmgRQX5Y A2dwW4lzdnxHiwiHQBB2pwZBUxx1xtzlqs2LmwqvrrjmK43DYfnmECxUbiAO08QS N9gnKLwOQwn/Y8LUYnzwplfG0TsWlfTl8UQ2EIMTYYG7LKbBv3BZ1+mvKjxSkB+1 pWhnSzLeKQvDDzEJlDhgeXOY2+cg/mG52Wj5XclrpeEdLfNOXkLzDMcywlXZBCzP pSQico14k3c8h3m7dsbXcKaAn0t449m/B0ZhvNiK733GDMprT3zdoE6goEn8BQmK 4Z5ceCFcpbOgbjrrPo/E =9PrN -----END PGP SIGNATURE-----