-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 01 Dec 2016 20:01:25 +0000 Source: tomcat6 Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras Architecture: source all Version: 6.0.45+dfsg-1~deb7u3 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libservlet2.4-java - Transitional package for libservlet2.5-java libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation libtomcat6-java - Servlet and JSP engine -- core libraries tomcat6 - Servlet and JSP engine tomcat6-admin - Servlet and JSP engine -- admin web applications tomcat6-common - Servlet and JSP engine -- common files tomcat6-docs - Servlet and JSP engine -- documentation tomcat6-examples - Servlet and JSP engine -- example web applications tomcat6-extras - Servlet and JSP engine -- additional components tomcat6-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat6 (6.0.45+dfsg-1~deb7u3) wheezy-security; urgency=high . * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo * Fix possible privilege escalation via package purge by removing the chown command in postrm maintainer script. See #845385 for more information. Checksums-Sha1: b3fe056968e7ceb67264f5d1ceefc19246030d83 2905 tomcat6_6.0.45+dfsg-1~deb7u3.dsc 70dc7c53dbed3b50678f545698b0ad80975c48e7 61037 tomcat6_6.0.45+dfsg-1~deb7u3.debian.tar.gz a3bd5baed94319c6a6fdcbf9d44e81ead3da3d36 58480 tomcat6-common_6.0.45+dfsg-1~deb7u3_all.deb e99cd9a752ebc8f6bafd979b381ad714270f5473 52114 tomcat6_6.0.45+dfsg-1~deb7u3_all.deb 31c97d44f2f4bbec74ab25816e17c69117390d8a 41810 tomcat6-user_6.0.45+dfsg-1~deb7u3_all.deb 3501815b97019e970e837b78f41374c1fbb10192 3167254 libtomcat6-java_6.0.45+dfsg-1~deb7u3_all.deb b2bb8e4006cf441d16619d19a9d63cacb0edc2bf 15698 libservlet2.4-java_6.0.45+dfsg-1~deb7u3_all.deb 2890606a9cc9c1d477f0c7043da19caeac17e1d6 242038 libservlet2.5-java_6.0.45+dfsg-1~deb7u3_all.deb 17bcf0eaa6bed7f8e2eb759e1a159a7ec2975354 274038 libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u3_all.deb aa55de8ffed190335633275221723828cbf5cc7f 51256 tomcat6-admin_6.0.45+dfsg-1~deb7u3_all.deb 007957bfca3759add1223d983cce66ab34651352 166250 tomcat6-examples_6.0.45+dfsg-1~deb7u3_all.deb 8d7b50ac8dbef798838fd8cddb4126bdd59548db 605090 tomcat6-docs_6.0.45+dfsg-1~deb7u3_all.deb 84f2c6e5ae89985556d358287c6d804ff5155b29 15912 tomcat6-extras_6.0.45+dfsg-1~deb7u3_all.deb Checksums-Sha256: 8e1c560ea0373e82b381a6e205b4277ec5f557c052c800505fd4c3c4680c7c00 2905 tomcat6_6.0.45+dfsg-1~deb7u3.dsc 0a4db99599d226f84a99e39505ad378c3ae314a8a5b3d6aa08fa320735fac91e 61037 tomcat6_6.0.45+dfsg-1~deb7u3.debian.tar.gz 6630bbb355fbea8dd111e3c0d87e2d1d708621bdc7c1ad35a03277431c3cbdd1 58480 tomcat6-common_6.0.45+dfsg-1~deb7u3_all.deb de48ed66b419a074080da01bbda78175efa97fb5cf194e503ea25b54120b6bb2 52114 tomcat6_6.0.45+dfsg-1~deb7u3_all.deb 673c6c6a1bf47aeb1282885c05bbb767c3473d2c941402a63ae0c965c6c9a9fe 41810 tomcat6-user_6.0.45+dfsg-1~deb7u3_all.deb 8271c31cbc89a3b5875b8adc74a8a40008ed84dd46b7b18f6a0665667242177d 3167254 libtomcat6-java_6.0.45+dfsg-1~deb7u3_all.deb 3702588efbb6a429eb3eb01103ddce8ea61e62eddb2e36e2e5601c93bde6870f 15698 libservlet2.4-java_6.0.45+dfsg-1~deb7u3_all.deb aaa2c2d8d5b785666f12bc7295d0500df58901dc8e961827240a16c602ab8ddb 242038 libservlet2.5-java_6.0.45+dfsg-1~deb7u3_all.deb 0e151eea9ecbaef336a47d4b29e61af33f6af430672606c2df5478b6b1a6b7ff 274038 libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u3_all.deb 26f29db4087536ae5bd031037109e0970308a0065361eab12ffb9eafcc87f3cb 51256 tomcat6-admin_6.0.45+dfsg-1~deb7u3_all.deb 8eb44da1eb154bcbeb305955f61dbd02c468997d5f995979df6fe88ad0396a47 166250 tomcat6-examples_6.0.45+dfsg-1~deb7u3_all.deb ecde2b8713f4350b3fdc650ab151ce08c03f22472c32c4394e4fe2667897dfee 605090 tomcat6-docs_6.0.45+dfsg-1~deb7u3_all.deb 33c11c0a37a375461e568001e1b2d3608e2353c974ca30c2ffce0197a51ed0e0 15912 tomcat6-extras_6.0.45+dfsg-1~deb7u3_all.deb Files: 3fe1e9477ed4f6499774cd0baeeed45a 2905 java optional tomcat6_6.0.45+dfsg-1~deb7u3.dsc 3845b41f1ecaca43e21236bc3ca36d35 61037 java optional tomcat6_6.0.45+dfsg-1~deb7u3.debian.tar.gz d1dd1593f4b86c004b152e3f3e8460ee 58480 java optional tomcat6-common_6.0.45+dfsg-1~deb7u3_all.deb 46776adb24228fa9927fb69db231e5f3 52114 java optional tomcat6_6.0.45+dfsg-1~deb7u3_all.deb f7326853376962e8f88495122ff51688 41810 java optional tomcat6-user_6.0.45+dfsg-1~deb7u3_all.deb 57be7f58343e2e3e45fabb0dba421920 3167254 java optional libtomcat6-java_6.0.45+dfsg-1~deb7u3_all.deb f680bdadea3c65f2c11fbe5e94f348f9 15698 oldlibs extra libservlet2.4-java_6.0.45+dfsg-1~deb7u3_all.deb a26d9d42ef98495a1b71bb148faa762c 242038 java optional libservlet2.5-java_6.0.45+dfsg-1~deb7u3_all.deb 90672bc3a8b42c0643cd0d7622a8e4ab 274038 doc optional libservlet2.5-java-doc_6.0.45+dfsg-1~deb7u3_all.deb 5f8c0c0145fee2ec6e6fe6d4ed450ef6 51256 java optional tomcat6-admin_6.0.45+dfsg-1~deb7u3_all.deb 4b304ffb1f72777eb95edde43329e5e1 166250 java optional tomcat6-examples_6.0.45+dfsg-1~deb7u3_all.deb 40af23215dcf3aaa83d7d614f2ffa580 605090 doc optional tomcat6-docs_6.0.45+dfsg-1~deb7u3_all.deb 23d7e8bafad77805ba50037b70f853b6 15912 java optional tomcat6-extras_6.0.45+dfsg-1~deb7u3_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhAiRNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk1QAQAL6UOraPf7/89YzggopWIS6gfgvPjRH6eASN 0+c111I371p4iLqGLaD2AeEHr0rlmA4C/hZvo5yVV+AJ3lPA8sPsdNOHvOWpki8W VtCrzqLMp8WZYJ50Z0+1e+eWnEtSP2BP0TJ9LWTwJtI1/xrbEAHdQWRLYjP69nQr Vj3b4ocg4epReALc+NRr1leXPH92Mh9K2ppYxRG0WYXMqj7TTQB89MIqe2ynA7j1 qXgFTiLmgwjix4frhfz3tSCMi8Chi+4Rs5HWN2iteBoh3TXNANIwqdLv9A7xYfED 5S9w7EM4bpskeCXTUgyo30jPyMYwctuAISnPj3DPWeQJXUHnm5KpY2lcVamZgjb0 F8XmJcfA8vHN/yAyDPjeDnVt9tpZF84+rGtPphBFLt2sE0QoVLfe1hCKw2re2It0 7LKmhBGvmpaFYO56Q+I3mtwmv4h/iISZERaEu4qNNOsTGob31vCswF8x0Ko41fBa 6s++OWoeffa/88HXoXhi2qy9qjVMvzuutqXesMV0gxFl2HTkPuVFWmsvJ0wYuKB1 /OvePP4poRbJ3BvtdgGamCU0vxE62wNeboSn8WJKKs5hWJ0+P5RRPaxGqcWsXjz8 ECoIm3fposrZPBAIvEfJAcVCnNTidOShY/VltM9rloqPRkL3DQyY1H8qzUC98FpA LfDaYxG4 =mAUo -----END PGP SIGNATURE-----